• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5158
  • Last Modified:

IEXPLORE.EXE-2D97EBE6.pf TROJAN VIRUS!

hi guys, recently my computer seems slow and unresponsive. i checked the task manager and the internet for solutions and found i had this file called 'IEXPLORE.EXE-2D97EBE6.pf' in my prefetch. im pretty sure its a trojan virus but i have no idea how to get rid of it because it keeps coming back after i reboot my computer. i used housecall, adaware - no nothing. the solutions on the web doesnt have the cure and symantec doesnt have it. im so stuck right now!

here's my logfile:

Logfile of HijackThis v1.99.0
Scan saved at 12:15:56 AM, on 5/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\addins\regexp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\swqjll.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

0
J0llyhunter
Asked:
J0llyhunter
  • 29
  • 17
  • 13
1 Solution
 
r-kCommented:
I don't think the 'IEXPLORE.EXE-2D97EBE6.pf in your prefetch folder is a problem.

At a quick glance, the only problem I can see in your log is that you have Gator adware/spyware running, which you should probably remove. In particular the programs gmt.exe and cmesys.exe and all references to those. There might be something in the Control Panel -> Add/Remove that you can use, else remove them manually from where they are starting.

Also run you HJT log through the automated online analysis to see if there is anything else I missed.
0
 
r-kCommented:
You also have a lot of extras running, which are not bad by themselves, but could be a burden on the system if it's slow or is low on memory.
0
 
blue_zeeCommented:

Next time please use this auto-analysis site:

http://www.hijackthis.de/index.php?langselect=english

Your log analysis is here:

http://www.hijackthis.de/logfiles/3ed6afddb7c0c9aa7c86ca55ff19ca6d.html

Next time please post a LINK like this one rather than the log.

These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
(Description: Spyware installed by Kazaa.)

O4 - HKLM\..\Run: [CMESys] \"C:\Program Files\Common Files\CMEII\CMESys.exe\"
(Description: Part of Gator advertising spyware - see here for removal instructions )

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\swqjll.exe
(Description: Added by the BACKDOOR.JUPDATE TROJAN! )

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
(Description: Gator spyware variant. See Gator )

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
(Description: Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. If you don't use WinAmp constantly, removing this entry will free up some system resources. )

Now:

1) Press the "Fix checked" button. Then close HijackThis.

2) Then reboot your computer.

3) Kazaa has installed spyware on your PC. Go to the Control Panel, Add/Remove programs. Uninstall Kazaa. Uninstall P2P Networking.

4) Delete the folder C:\Program Files\Common Files\CMEII\

5) Delete the file referenced in the "O4 - [JavaUpdate0.07]" entry of your log.

6) Delete the folder C:\Program Files\Common Files\GMT\

7) Empty your recycle bin.

8) Run Windows Update and install all critical updates.

9) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.

10) Reboot one last time. Your PC should now be free from spyware!
We suggest that you run HijackThis again, just to make sure that none of the entries that you removed suddenly reappeared. If they haven't, print out our HijackThis log and put it somewhere safe. You can refer to it later if your PC starts acting up.

Get rid of Kazaa or this won't stop.

Good luck,

Zee
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
J0llyhunterAuthor Commented:
hey, my cpu memory was only like 5% a few days and now sometimes it pops up to 50% or more, so i wasnt thinking about the spyware since ive had it for more than a few days. i tried deleting the convexant camera but when i reboot it, it reinstalled itself along with something like pci communications, u??? half modem...and a few other programs.
this is my log
http://www.hijackthis.de/logfiles/0cfc847d2e50f53a3bb078bc3be7dd2a.html
0
 
J0llyhunterAuthor Commented:
also i found a few p2pnetworking and gator files in my prefetcg. should i delete them?
they are:
GATORSTUBSETUP.EXE-39E31F8A.pf
P2PNETWORKING.EXE-3470F776.pf
P2PNETWORKINGP2P93.EXE0601F618.pf
CMESYS.EXE-117633DE.pf
GMT.EXE-3182804d
0
 
r-kCommented:
>also i found a few p2pnetworking and gator files in my prefetcg. should i delete them?

 Yes, you can delete them though I don't think it really matters.

Is your computer more responsive now that you removed Gator and P2P?
0
 
blue_zeeCommented:

MUST DO:

Place HJT in its own folder, don'trun it from a temp folder or desktop as you will lose all backups, and they may be needed if you want to undo any erroneous fix.

Your HJT log doesn't look too bad now.

I would fix these:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\addins\regexp.dll
O20 - Winlogon Notify: regexp - C:\WINDOWS\addins\regexp.dll

Zee
0
 
blue_zeeCommented:

If you want to know what's eating up your resources use Process Explorer:

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Also worth trying is an online virus scanner (run at least 2 of them):

Panda ActiveScan
http://www.pandasoftware.com/activescan 

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php 

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp 

Symantec Security Check
http://security.symantec.com/sscv6/ 

Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp 

PcPitstop
http://pcpitstop.com/antivirus/default.asp 

RAV
http://www.ravantivirus.com/scan/ 

Zee


0
 
J0llyhunterAuthor Commented:
r-k, i wouldn't know if my windows is running faster now because it only screws up from time to time when im surfing on the net...
to zee, i suspected those files on my log too because i had the req.dat trojan virus, and they sorta look similar. but anyways, i couldn't delete

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\addins\regexp.dll
O20 - Winlogon Notify: regexp - C:\WINDOWS\addins\regexp.dll
0
 
blue_zeeCommented:

Download BHODemon:

http://www.majorgeeks.com/download3550.html

Run it and untick/de-activate the entry mentioning regexp.dll.

See if that does it. I believe it will.

If not, try KillBox:

http://www.downloads.subratam.org/KillBox.zip

Unzip it and launch.

Select "Delete on Reboot".

In "Full Path of File to Delete", type:

C:\WINDOWS\addins\regexp.dll

Click the button with a red circle and white cross.

Close KillBox and reboot.

Good luck.

Zee
0
 
J0llyhunterAuthor Commented:
ooh, ran virus scans on mcafee and symantec

mcafee:

C:\...\backup-20050502-174911-600.dll infected with Vundo
C:\...\backup-20050502-174955-122.dll infected with Vundo
C:\WINDOWS\ADDINS\regexp.dll infected with Vundo

symantec:

C:\WINDOWS\ADDINS\regexp.dll is infected with Adware.Adpopup  
C:\Program Files\backups\backup-20050320-013907-810.dll is infected with Adware.P2PNetworking  
C:\I386\MARSHAL.DLL is infected with Adware.P2PNetworking  
C:\Documents and Settings\Jennifer Wong\Local Settings\Temp\backups\backup-20050502-174911-600.dll is infected with Adware.Adpopup  
C:\Documents and Settings\Jennifer Wong\Local Settings\Temp\backups\backup-20050502-174955-122.dll is infected with Adware.Adpopup  

ill go do what you said now
0
 
blue_zeeCommented:

And on your way, delete all temp folder contents, IE cache, etc..

You may try CCleaner:

http://www.ccleaner.com/

Zee
0
 
J0llyhunterAuthor Commented:
should i use killbox to delete all the files that are infected as well?
0
 
J0llyhunterAuthor Commented:
and i have one folder called "temp" another called "temporary Internet files" do i delete contents in both?
0
 
r-kCommented:
>>>
and i have one folder called "temp" another called "temporary Internet files" do i delete contents in both?
<<<

(1) For temp folder, delete the contents of:
 c:\documents and folders\username\local settings\temp

(2) For Internet Cache, do it from within IE:
   Tools -> Internet Options -> Delete Files -> Delete All Offline Content -> OK

0
 
J0llyhunterAuthor Commented:
couldn't delete ~DFA1FD.tmp and Perflib_Perfdata_764. should i use kill box to delete these files along with

C:\WINDOWS\ADDINS\regexp.dll is infected with Adware.Adpopup  
C:\Program Files\backups\backup-20050320-013907-810.dll is infected with Adware.P2PNetworking  
C:\I386\MARSHAL.DLL is infected with Adware.P2PNetworking  
0
 
r-kCommented:
Don't worry about the couple of files that are "in use" in the Temp folder. just delete all the ones that you can.

Definitely do delete the other 3 files, which are known to be infected. Killbox should work on those three.
0
 
J0llyhunterAuthor Commented:
interestingly enough, regexp.dll is still here. shall i download moveonboot and see if it works?
0
 
J0llyhunterAuthor Commented:
darn it, i ran moveonboot and its STILL there!
0
 
r-kCommented:
I am not familar with Moveonboot, but you could try it.

Else, boot in safe mode and see if you can just delete it directly (and empty the trash)

Alternately, if you have XP Pro, you can right-click on the file (regexp.dll), select Properties, then Security and remove all permissions for everyone (including System) to access that file. Then reboot, change permissions so you have permission to delete it, then delete it.
0
 
J0llyhunterAuthor Commented:
um, i dont have the security tab, but im gonna reboot in safe mode and see if i can fix it. there's probably another file thats creating regexp.dll again and again
0
 
J0llyhunterAuthor Commented:
ok, it didnt work. it says im currently using it
0
 
r-kCommented:
Here's a link on how to get the Security Tab to be visible:

 http://windows.about.com/od/tipsarchive/l/bltip542.htm

When you try to change the permissions on that file, it may complain that it is "inheriting permissions from parent folder..". In that case click on the Advanced Button and in the next window un-check the box marked "Inherit permissions..." and then select the "Remove" button. That will remove all permissions.

0
 
J0llyhunterAuthor Commented:
i dont have the option "use simple file sharing" and it shouldnt matter, since i can log on as admin, right?
0
 
r-kCommented:
>>>
i dont have the option "use simple file sharing".
<<<

 You must have XP Home Edition. It's not easy to set permissions there.

Instead of changing permissions, you could try Dr. Delete to delete the offending file:

 http://www.docsdownloads.com/Tier1/dr-delete.htm

If you do decide to dig into setting permissions in XP Home, see:

 http://whoozoo.co.uk/winxpFilePerms.htm#4


0
 
blue_zeeCommented:

Try starting in Safe Mode, turn off System Restore, and use Killbox to delete those persistent files.

Zee
0
 
blue_zeeCommented:

And this is a way to do it:

http://castlecops.com/check24086previous.html

Not easy, but I believe it will work for you.

Zee
0
 
J0llyhunterAuthor Commented:
my system restore has always been disabled,

1.so i use reglite to go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
2.see if i have a hidden file?
3.copy the path of hidden file in "value"
4. change "windows" to "NOTWINDOWS" (edit and rename)
5. clear value in AppInit_DLLs
6. Rename "windows" back to "windows"
7 Start, run, type cmd, click ok
8. type in dir <path of file and filename in "value"> press enter (do i type dir?)
9. go to where the dll is, type attrib -r "nameofdll".dll (quotation marks excluded?)
10.Type del "nameofdll".dll
11.Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.

Check the following two links for instructions on downloading and running the applications listed:


How to use Spybot to remove Spyware

How to use Ad-Aware to remove Spyware



Restart computer in safe mode (How do I boot into "Safe" mode?) and run these programs again, just to make sure all traces are gone.

Boot up pc as normal and you should be trouble free.


0
 
blue_zeeCommented:

Yes.
0
 
J0llyhunterAuthor Commented:
i have no value in appinit
0
 
blue_zeeCommented:

Try this program claims to clean several pieces of malware:

http://www.adwareaway.com/

Zee
0
 
J0llyhunterAuthor Commented:
regexp wasnt detected on that program
0
 
blue_zeeCommented:

Have you tried BHODemon as I suggested above:

http://www.majorgeeks.com/download3550.html

Run it and untick/de-activate the entry mentioning regexp.dll.

See if that does it.

And I'm running out of ideas.

Zee
0
 
r-kCommented:
Here's a suggestion in case you haven't tried this:

Start -> Run -> regedit (click on OK)

This starts the Registry editor.

In the left Window, expand the following tree:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

The right-click on the yellow icon labeled: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
and select "Delete"

Close Regedit and reboot. See if you can now delete the c:\windows\regexp.dll file.
0
 
J0llyhunterAuthor Commented:
zee, i have dl'ed BHOdemon and unticked regexp.dll but the file remains there (unchecked)

r-k, no luck in deleting redgexp after what you said yet...
0
 
J0llyhunterAuthor Commented:
crap, my C:\Program Files\backups\backup-20050320-013907-810.dll  recreated itself
0
 
J0llyhunterAuthor Commented:
i found a few files with the value regexp.dll in the registry. one is in the notify folder where all my other programs start up when i turn on my computer (i forgot the address to the notify folder and im having a hard time finding it) and the other one is

HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}\InprocServ\
0
 
r-kCommented:
OK, here's another suggestion:

Download Autoruns.exe from:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

When you run it, it shows a bunch of things that start automatically. Open the "View" menu and select everything between "Show Appinit Dlls" to "Hide Microsoft Entries",then select Refresh and it will give you a new list of startups.

Examine the list carefully and un-check anything that looks suspicious.

Then exit Autoruns and reboot.

Run Autoruns again and see if the things you unchecked earlier are still unchecked.

If they are, you should be able to delete the undesirable files.

Whether they are unchecked or not, you use the "Save as..." option in Autoruns to save that list to a text file and then cut and paste it here with Notepad or other text editor.
0
 
r-kCommented:
>>>>
i found a few files with the value regexp.dll in the registry. one is in the notify folder where all my other programs start up when i turn on my computer (i forgot the address to the notify folder and im having a hard time finding it) and the other one is

HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}\InprocServ\
<<<<

That CLSID entry can be ignored assuming you were able to delete the "Browser Helper Objects" entry I mentioned in an earlier post, but you can also delete it for completeness.

If you found a reference to regexp.dll elsewhere in the Registy please post the full path that you found them in.

As you probably noticed, you can use Edit -> Find from the Regedit menu to search for all occurrences of regexp.dll anywhere in the registry.
0
 
J0llyhunterAuthor Commented:
i dont know why but i cant find the entry now. it was located in a folder called notify

i also thought of a way to delete the virus. last time i had a virus and i had to go into safe mode to change the programs which opens up when i start my computer. maybe i can uncheck regexp.dll from there. ill try to find where it is as i forgot
0
 
blue_zeeCommented:

I think the problem is in the registry as r-k is suggesting but it has to do with the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLL

entry.

I just don't understand, yet, why you can't find it with RegLite.

Zee
0
 
J0llyhunterAuthor Commented:
oh yea, thanks, i found the notify folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

there's a folder called regexp there
0
 
r-kCommented:
You can either run Autoruns (see above for description) and disable the key there, then reboot and see if stays disabled, OR, you can go ahead and delete that key in regedit, reboot and check if the key stays deleted.

If successfull, you can then delete the regexp.dll file itself.
0
 
J0llyhunterAuthor Commented:
it recreated itself. in the regexp folder there are 6 files

Name                 Data                                         Type                   Size
(default)            (Value not set)
Asynchronous    1 (0x01)                                     REG_DWORD       4
DllName            C:\\WINDOWS\addins\regexp.dll  REG_SZ               29
Impersonate      0 (0x00)                                     REG_DWORD       4
Logoff               SysLogoff                                   REG_SZ               10
Startup             SysLogon                                    REG_SZ               9

should i just delete the whole file?
0
 
r-kCommented:
>>>should i just delete the whole file?

Yes, in Regedit, delete the whole folder (yellow icon) in the left-window by right-clicking on it selecting Delete.

Something else may be recreating it though. If the above doesn't fix it, please open a command window, and type:

 > tasklist /svc > list.txt

this will save a list of running jobs in a file named list.txt
Use notepad to cut and paste the contents of that file here. may give us a clue about what's running.
0
 
J0llyhunterAuthor Commented:
how do i open a command window?
0
 
r-kCommented:
>>how do i open a command window?

Start -> Run

then type in CMD in the small dialog and click on OK.
It looks like an old-style DOS window.
0
 
J0llyhunterAuthor Commented:
it says tasklist is not recognized as an external or internal command
0
 
J0llyhunterAuthor Commented:
i have xp home
0
 
J0llyhunterAuthor Commented:
downloaded tasklist, and opened it in winzip but the black ms dos window appears for a split second, is it normal?
0
 
J0llyhunterAuthor Commented:
i guess this is it:


Image Name                   PID Services                                    
========================= ====== =============================================
System Idle Process            0 N/A                                          
System                         4 N/A                                          
smss.exe                     552 N/A                                          
csrss.exe                    600 N/A                                          
winlogon.exe                 624 N/A                                          
services.exe                 668 Eventlog, PlugPlay                          
lsass.exe                    680 PolicyAgent, ProtectedStorage, SamSs        
svchost.exe                  868 DcomLaunch, TermService                      
svchost.exe                  936 RpcSs                                        
svchost.exe                 1032 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,      
                                 EventSystem, FastUserSwitchingCompatibility,
                                 helpsvc, lanmanserver, lanmanworkstation,    
                                 Netman, Nla, RasMan, seclogon, SENS,        
                                 ShellHWDetection, srservice, TapiSrv,        
                                 Themes, TrkWks, w32time, winmgmt, wscsvc,    
                                 wuauserv, WZCSVC                            
svchost.exe                 1156 Dnscache                                    
svchost.exe                 1224 LmHosts, SSDPSRV, WebClient                  
spoolsv.exe                 1352 Spooler                                      
explorer.exe                1612 N/A                                          
DVDLauncher.exe             1724 N/A                                          
PCMService.exe              1736 N/A                                          
tfswctrl.exe                1752 N/A                                          
Support.exe                 1780 N/A                                          
dlbtbmgr.exe                1788 N/A                                          
dlbtbmon.exe                1820 N/A                                          
winampa.exe                 1856 N/A                                          
NotifyAlert.exe             1864 N/A                                          
msnmsgr.exe                 1872 N/A                                          
MDM.EXE                      416 MDM                                          
svchost.exe                  496 stisvc                                      
wscntfy.exe                 2460 N/A                                          
iexplore.exe                3056 N/A                                          
iexplore.exe                 132 N/A                                          
cmd.exe                     2436 N/A                                          
tasklist.exe                2896 N/A                                          
wmiprvse.exe                3212 N/A  
0
 
J0llyhunterAuthor Commented:
C:\WINDOWS\ADDINS\regexp.dll is infected with Adware.Adpopup  
C:\Program Files\backups\backup-20050503-172824-220.dll is infected with Adware.Adpopup  
C:\Program Files\backups\backup-20050503-172928-604.dll is infected with Adware.Adpopup  


the 2 backup files recreated themselves.
0
 
r-kCommented:
Jollyhunter,

Here is what I recommend:

Change the permissions on those three files so that no one can access them, then reboot, then change the permissions back one by one and delete all three files.

Here is how you can change permissions in XP Home Edition:

(1) Reboot in safe mode

(2) Right-click on the file (e.g. regexp.dll) in Windows Explorer
      Select "Properties", then the "Security" tab
      Click on "Advanced", then un-check the box that reads "inherit permissions..."
      When a dialog box pops up, click on "Remove"
      This will remove all permissions for that file.

(3) Repeat for all three files.

Then reboot in safe mode again.

Then change permissions as follows so you can delete the files:

 Right-click on file in Windows Explorer, Properties->Security
 Then click on "Add" and enter in your own username, then "OK"
 Then check the box labeled "Full Control"

After that you can delete the file (and empty the trash)

Repeat for other two files

Reboot in normal mode, and at least that infection should be gone.
(I hope)
0
 
blue_zeeCommented:

The problem is that they are recreated upon reboot from within the registry.

Zee
0
 
J0llyhunterAuthor Commented:
yes, i know blue_zee.
yesterday i used reglite to and changed the browser helper file below to "NOTBrowser Helper objects"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}

and i changed the key Notify to "NotNotify"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\regexp

before i did that when i deleted the 2 keys,  {B8B55274-0F9A-41E5-9067-A3539BD9E860} and regexp, they would appear immediately afterwards. but when i did that, they did not appear (obviously because they were programmed to only be created in those folders)
so when i rebooted, a new Browser Helper Object file recreated itself along with {B8B55274-0F9A-41E5-9067-A3539BD9E860} only and a new Notify folder was recreated with the key regexp. the backup files i deleted earlier also managed to recreate themselves.

C:\Program Files\backups\backup-20050503-172824-220.dll is infected with Adware.Adpopup  
C:\Program Files\backups\backup-20050503-172928-604.dll is infected with Adware.Adpopup

now we just need to find out what the main file creating both of them is, or could be that both of them are programmed to created the other if destroyed.
0
 
blue_zeeCommented:

The solution should be around the AppInit_DLL.

I just don't know why you can't find it. There was one other question where I was helping that also didn't manage to find it in the registry.

On that one Adware Away cleaned it with a couple of clicks and a reboot (a different nasty).

But it seems you don't manage to install that tool.

Perhaps worth retrying.

Zee
0
 
r-kCommented:
Jollyhunter:

Did you try changing the permissions on those files? That technique can be very effective in difficult cases where you can't figure out how to delete the files.

By changing the permissions, you deny everyone, including the offending program, access to those files, which can eliminate that part of the problem.
0
 
J0llyhunterAuthor Commented:
you're right r-k, it is very effective. i think i've deleted the 3 files. thanks r-k
0
 
r-kCommented:
Whew, glad you got rid of those three! Thanks for the feedback.

As a guess, probably what was happening was that the malware was re-creating those Registry entries that you kept deleting. Now that you deleted the files, you should be able to delete the offending Registry entries, and they should stay deleted. It probably doesn't matter too much whether you do this extra step or not, because the files themselves are gone.

Good luck.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 29
  • 17
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now