iexplore.exe virus

Computing.Net > Forums > Security and Virus > iexplore.exe virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

iexplore.exe virus

Name: GaryBrooke
Date: June 3, 2009 at 15:56:00 Pacific
OS: Windows XP 2002 SP2
Product: Dell precision / Pws670
Subcategory: Viruses

Comment:

I seem to have a virus linked to iexplore.exe. A second iexplore.exe keeps appearing in Task manager even after I delete it. It appears to be a valid incarnation of iexplore.exe in the Program Files\Internet Explorer directory. Periodically this iexplore.exe establishes a link to an outside site (sounds like a radio station at first and then transitions to an open-mike type setting). If I kill the unwanted iexplore.exe it kills the link. Annoying but manageable, however, there seems to be a second feature in that my computer now hangs and I have to do a hard reboot (sometimes more than once) to come back up. I have seen other sites talking about an iexplore.exe virus but the symptoms seem quite different than mine. I have SpyDoctor and RegGenie but neither fix the problem nor detect seem to detect it. Any ideas?

Sponsored Link

Ads by Google

Response Number 1

Name: jdk (by neoark)
Date: June 3, 2009 at 16:01:59 Pacific

Reply:

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.
Illustrated tutorial: http://img32.imageshack.us/img32/76...
-------------------------------------------------

Response Number 2

Name: GaryBrooke
Date: June 3, 2009 at 16:34:03 Pacific

Reply:

Thanks for the prompt reply. I have initiated the download of Kapersky software. It tells me to delete other anti-virus software... does that include SpyDoctor and RegGenie?

Response Number 3

Name: jdk (by neoark)
Date: June 3, 2009 at 17:03:02 Pacific

Reply:

Doesn't it tell you? You can also run web AV scanner: http://usa.kaspersky.com/products_s...
-------------------------------------------------

Response Number 4

Name: GaryBrooke
Date: June 4, 2009 at 11:28:26 Pacific

Reply:

Okay, I have removed all other virus protection software and run Kaspersky AVP tool. There appears to be two types of viruses: Rootkit.Win32.TDSS.a and three instances of Packed.Win32.TDSS.f. The Kaspersky tool seems to be able to delete the .f files but they reappear on reboot. It is not clear that it has been to do anything about the .a virus. Since I don't see a mechanism for 'attaching' a file .... I have pasted the scan log text results below.
=====================
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:28:48 AM Task completed
6/4/2009 10:28:00 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:41:24 AM Task stopped
6/4/2009 10:41:03 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:41:03 AM Task started
6/4/2009 10:38:59 AM Task stopped
6/4/2009 10:37:22 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:37:22 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:39:11 AM Task completed
6/4/2009 10:38:59 AM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:38:59 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:38:59 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:41:40 AM Task completed
6/4/2009 10:41:24 AM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:41:24 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:41:24 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 11:14:22 AM Task completed
6/4/2009 11:14:22 AM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:09:43 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe
6/4/2009 11:09:43 AM Deleted: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe
6/4/2009 11:09:43 AM Detected: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe
6/4/2009 11:09:43 AM Deleted: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe
6/4/2009 11:09:39 AM Detected: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe
6/4/2009 11:01:02 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll Postponed
6/4/2009 11:01:02 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll
6/4/2009 11:01:02 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll Postponed
6/4/2009 11:01:02 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll
6/4/2009 11:00:25 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 11:00:15 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 10:54:44 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 10:54:42 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 10:54:37 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 10:54:01 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 10:53:17 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 10:52:24 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 10:49:54 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe Postponed
6/4/2009 10:49:54 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe Postponed
6/4/2009 10:49:53 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe
6/4/2009 10:49:53 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe
6/4/2009 10:49:52 AM Untreated: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe Postponed
6/4/2009 10:49:52 AM Detected: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe
6/4/2009 10:49:52 AM Untreated: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe Postponed
6/4/2009 10:49:52 AM Detected: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe
6/4/2009 10:48:15 AM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 10:47:54 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:47:53 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 11:36:11 AM Task completed
6/4/2009 11:36:11 AM Will be deleted on system restart: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll
6/4/2009 11:36:11 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll
6/4/2009 11:36:11 AM Will be deleted on system restart: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll
6/4/2009 11:36:11 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll
6/4/2009 11:36:11 AM Will be deleted on system restart: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll
6/4/2009 11:36:11 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll
6/4/2009 11:36:11 AM Deleted: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll
6/4/2009 11:36:11 AM Detected: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll
6/4/2009 11:36:10 AM Deleted: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll
6/4/2009 11:36:10 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll
6/4/2009 11:36:10 AM Deleted: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys
6/4/2009 11:36:06 AM Detected: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys
6/4/2009 11:29:04 AM Untreated: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys Postponed
6/4/2009 11:29:04 AM Detected: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll
6/4/2009 11:28:53 AM Untreated: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll Postponed
6/4/2009 11:28:53 AM Detected: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll
6/4/2009 11:28:24 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 11:28:18 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 11:24:24 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 11:24:22 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 11:24:18 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 11:23:50 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 11:23:31 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 11:23:00 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 11:19:45 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:09:42 PM Task completed
6/4/2009 11:57:27 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:49:32 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 11:49:26 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 11:45:34 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 11:45:32 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 11:45:29 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 11:45:00 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 11:44:41 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 11:44:10 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 11:41:00 AM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 11:40:51 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:40:51 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:09:42 PM Task started
6/4/2009 12:09:42 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:09:42 PM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:09:57 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:17:58 PM Task started
6/4/2009 12:17:58 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:18:04 PM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 12:18:17 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:19:38 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:19:38 PM Task started
6/4/2009 12:19:38 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:19:38 PM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:19:47 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:40:06 PM Task started
6/4/2009 12:42:21 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:56:20 PM Task started
6/4/2009 1:16:42 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 1:25:21 PM Task started
6/4/2009 1:25:21 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:25:31 PM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 1:29:53 PM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 1:30:43 PM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 1:31:30 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 1:32:05 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 1:32:09 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 1:32:11 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 1:37:52 PM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 1:38:02 PM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 1:47:42 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:50:42 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 1:50:42 PM Task started
6/4/2009 1:50:42 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:50:42 PM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:50:58 PM Task completed
=============
I hope this is sufficient. Thanks.

Response Number 5

Name: jdk (by neoark)
Date: June 4, 2009 at 12:33:03 Pacific

Reply:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.
i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.
ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.
iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.
You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.
begin
ExecuteStdScr(3);
RebootWindows(true);
end.
Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.
Image Tutorial
2) Can you also make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here
-------------------------------------------------

annots.api kaspersky av scanner netsh.exe	iexplore.exe virus iexplore.exe virus netsh.exe
See More

Response Number 6

Name: GaryBrooke
Date: June 5, 2009 at 06:17:17 Pacific

Reply:

I tried to upload these links yesterday and I don't think they went through so here we go again.
http://rapidshare.com/files/2408744...
MD5: 4AADAD7C2796969ECB717EE8BE95FD2E

http://rapidshare.com/files/2408744...
MD5: CD95A703F7440962DC7042168AE578DC

Response Number 7

Name: jdk (by neoark)
Date: June 5, 2009 at 06:40:53 Pacific

Reply:

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:
1) Run this script in AVZ like before, your computer will reboot:
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('\\?\globalroot\systemroot\system32\UAClsqefvmuegnyacf.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\UAClsqefvmuegnyacf.dll');
BC_ImportDeletedList;
ExecuteSysClean;
 ExecuteRepair(13);
 ExecuteRepair(14);
 ExecuteRepair(15);
BC_Activate;
RebootWindows(true);
end.
2) After Reboot. Attach a Combofix log, please review and follow these instructions carefully.
Download it here -> http://download.bleepingcomputer.co...
Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.
Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.
-------------------------------------------------

Response Number 8

Name: GaryBrooke
Date: June 5, 2009 at 08:46:21 Pacific

Reply:

Okay, running the AVZ did not appear to complete so I have not attempted the second part and won't until I hear back. While running the script supplied above, the AVZ came up with a window saying that the application could not complete because netsh.exe could not find framedyn.dll. When I hit okay to that message (no other choice) it did say that the script had run to completion and then the computer rebooted. I tried running the AVZ script a couple of times with the same result. Please advise.

Response Number 9

Name: jdk (by neoark)
Date: June 5, 2009 at 08:51:01 Pacific

Reply:

Leave fix for now and continue with combofix. This is the fix: http://support.microsoft.com/kb/319114
-------------------------------------------------

Response Number 10

Name: GaryBrooke
Date: June 5, 2009 at 09:43:50 Pacific

Reply:

Well, I could not find Framedyn.dll in the dllcache folder and my path wasn't set at all. There was a framedyn.dll in the correct directory So I set my path as directed and gave it a go... same result. This could mean my framedyn.dll is corrupted. I notice that when I renamed it in \wbem directory (I tried copying a version that found in the \i386 directory) that it was regenerated immediately. Please advise.

Response Number 11

Name: jdk (by neoark)
Date: June 5, 2009 at 09:52:47 Pacific

Reply:

Continue with combofix
-------------------------------------------------

Response Number 12

Name: GaryBrooke
Date: June 5, 2009 at 10:38:56 Pacific

Reply:

Okay here is the link
http://rapidshare.com/files/2411854...
MD5: FC212F693C47A2E43D716DDD20F7A9DD

Response Number 13

Name: jdk (by neoark)
Date: June 5, 2009 at 12:00:23 Pacific

Reply:

1) Please zip up C:\qoobox\quarantine and the copy of following files:
c:\windows\system32\pgdfgsvc.exe
c:\windows\RegGenieOnUninstall.exe
upload all of them to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.
2) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.
-------------------------------------------------

Response Number 14

Name: GaryBrooke
Date: June 5, 2009 at 12:50:56 Pacific

Reply:

Sorry I have been away for a couple of days. When I try to Direct Message you with the info it tells me to post the info in this box ... is that what you want me to do.

Response Number 15

Name: jdk (by neoark)
Date: June 9, 2009 at 09:54:59 Pacific

Reply:

Is your original problem fixed?
-------------------------------------------------

Response Number 16

Name: GaryBrooke
Date: June 11, 2009 at 19:46:56 Pacific

Reply:

Yes, I my original problem has been cleared up. Thank you.

Response Number 17

Name: jdk (by neoark)
Date: June 11, 2009 at 20:12:05 Pacific

Reply:

Complete Response Number 13. Use the link below this message to private message me. In addition send me this files as well: c:\windows\system32\dssmg.exe . You still might have infected files on your system so complete all the steps till i say you malware free.
If I'm helping you and I don't reply within 24 hours send me a PM.

Response Number 18

Name: GaryBrooke
Date: June 12, 2009 at 06:57:24 Pacific

Reply:

I cannot zip up dssmg.exe - won't let me.

Response Number 19

Name: jdk (by neoark)
Date: June 12, 2009 at 07:02:58 Pacific

Reply:

No need to zip it just copy it to your desktop or upload it directly to rapidshare.com. Do not delete or move files which i told you to send. I just want a copy of them.
If I'm helping you and I don't reply within 24 hours send me a PM.

Response Number 20

Name: GaryBrooke
Date: June 12, 2009 at 09:16:19 Pacific

Reply:

I can't upload the dssmg.exe file to Rapidshare...it keeps telling me there is no file to upload when I have clearly selected the file and placed its name in the filename box. ???

Response Number 21

Name: jdk (by neoark)
Date: June 12, 2009 at 09:18:04 Pacific

Reply:

Leave that file for now. Continue with the rest.
If I'm helping you and I don't reply within 24 hours send me a PM.

Response Number 22

Name: jdk (by neoark)
Date: June 12, 2009 at 09:50:08 Pacific

Reply:

Redo Response Number 5. Generate and post new set of logs.
If I'm helping you and I don't reply within 24 hours send me a PM.

Response Number 23

Name: GaryBrooke
Date: June 12, 2009 at 10:30:08 Pacific

Reply:

http://rapidshare.com/files/2438023...
MD5: 2D4484E25EFDA80D0A2E0CB0A606BB64
http://rapidshare.com/files/2438023...
MD5: 77B8E019798E7E6F4A6CDBF3CB0DC308

Response Number 24

Name: jdk (by neoark)
Date: June 12, 2009 at 12:52:08 Pacific

Reply:

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:
1) Run this script in AVZ like before, your computer will reboot:
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\dssmg.exe','');
 DeleteService('AFSEGTGF Windows Service');
 StopService('AFSEGTGF Windows Service');
 DeleteFile('C:\WINDOWS\system32\dssmg.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
2) After reboot execute following script in AVZ:
begin
CreateQurantineArchive('C:\quarantine3.zip');    
end.
A file called quarantine3.zip should be created in C:\. Upload that file to Rapidshare.com and private message me download link.
If I'm helping you and I don't reply within 24 hours send me a PM.

Response Number 25

Name: jdk (by neoark)
Date: June 12, 2009 at 13:39:25 Pacific

Reply:

Thanks for the files. Please follow these steps in order numbered and post summary log after each step.
1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.
2) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.
If I'm helping you and I don't reply within 24 hours send me a PM.
PS: You use kaspersky 2009 antivirus?

Response Number 26

Name: GaryBrooke
Date: June 13, 2009 at 07:33:47 Pacific

Reply:

With regard to your PS.. I have Kaspersky 2009 on a trial basis right now as per your initial instructions. I was using SpyDoctor and had something called Etrust but they didn't seem to cut it... do you have a recommendation?
Here are the log outputs:
Malwarebytes' Anti-Malware 1.37
Database version: 2268
Windows 5.1.2600 Service Pack 2
6/12/2009 5:33:39 PM
mbam-log-2009-06-12 (17-33-39).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 218618
Time elapsed: 45 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
d:\RECYCLER\s-1-5-21-1417001333-1645522239-682003330-20025\Dd1.exe (Rogue.Installer) -> Quarantined and deleted successfully.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/12/2009 at 06:04 PM
Application Version : 4.26.1004
Core Rules Database Version : 3937
Trace Rules Database Version: 1880
Scan type : Complete Scan
Total Scan Time : 00:18:20
Memory items scanned : 376
Memory threats detected : 0
Registry items scanned : 5346
Registry threats detected : 0
File items scanned : 22927
File threats detected : 63
Adware.Tracking Cookie
C:\Documents and Settings\c9489\Cookies\c9489@imrworldwide[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@ads.pgatour[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@msnbc.112.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@enhance[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@insightexpressai[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@mediaplex[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@toseeka[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@specificmedia[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@realmedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.toseeka[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@smartadserver[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@pro-market[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@statcounter[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@c7.zedo[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@questionmarket[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@casalemedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@cdnh.tremormedia[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.windowsmedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@fastclick[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@clickbank[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@msnportal.112.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@specificclick[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@xiti[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@hitbox[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@tribalfusion[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@apmebf[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@revsci[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@serving-sys[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.shopica[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@advertising[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@overture[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.findstuff[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@ads.pointroll[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@bluestreak[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@serw.clicksor[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@zedo[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@revenue[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@ads.techguy[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@windowsmedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@myroitracking[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@bs.serving-sys[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@dc.tremormedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@tacoda[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@ehg-winnercomm.hitbox[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@shopica[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.googleadservices[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@kaspersky.122.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@chitika[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.googleadservices[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@onetoone.112.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@7572.91423.clickshield[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@doubleclick[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@at.atwola[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@list[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@server.cpmstar[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@7587.91423.clickshield[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@atdmt[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@adserver.adtechus[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@ad.yieldmanager[1].txt

Response Number 27

Name: jdk (by neoark)
Date: June 13, 2009 at 07:42:18 Pacific

Reply:

Is your original problem fixed? I like kaspersky/bitdefender/eset/norton none of them are free. If you want free try avast/avg.
If I'm helping you and I don't reply within 24 hours send me a PM.

Response Number 28

Name: GaryBrooke
Date: June 13, 2009 at 07:53:39 Pacific

Reply:

Yes, my original problem is fixed...thank you. Do I need to do anything else to clean up.

Response Number 29

Name: jdk (by neoark)
Date: June 13, 2009 at 08:02:42 Pacific

Reply:

Follow these security measures and clean up procedures in order numbered:
1) Update windows via windows update till all critical patches are applied (sp3).
2) http://onecare.live.com/site/en-Us/...
3) http://onecare.live.com/site/en-Us/...
PS: No need to report back. Since the problem is solved i am not longer monitoring this post if you have any further relating malware problem private message me.
If I'm helping you and I don't reply within 24 hours send me a PM.

Response Number 30

Name: morningsunshine
Date: June 30, 2009 at 10:53:54 Pacific

Reply:

To screen your computer on all background processes try the www.xraymypc.com scanner. It will show description, location, and security risk of each process found. You can download this free scanner from here:
http://www.xraymypc.com/scanner.html

Response Number 31

Name: GaryBrooke
Date: June 30, 2009 at 11:28:12 Pacific

Reply:

Okay, thanks for the info.

Sponsored Link

Ads by Google

Trojan Horse SHeur2.ITJ

help with keyloggers

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: iexplore.exe virus

Remove iexplore.exe virus/trojan

Summary

www.computing.net/answers/security/remove-iexploreexe-virustrojan/23780.html

IEXPLORE.exe virus/spyware shall not be moved

Summary

www.computing.net/answers/security/iexploreexe-virusspyware-shall-not-be-moved/26611.html

Mutilple Iexplore.exe. VIRUS???

Summary

www.computing.net/answers/security/mutilple-iexploreexe-virus/7939.html

From the Geek Dictionary
PSU - The PSU or Power supply unit, converts wall power to the voltages needed fo...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 7 Days.
Discuss in The Lounge
Poll History

Recent Posts
Framework Issues.

30-40c Temp Spikes while idle

Sony VGN-NS30E

"help me"

GeForce v Radeon

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE