J0llyhunter
asked on
IEXPLORE.EXE-2D97EBE6.pf TROJAN VIRUS!
hi guys, recently my computer seems slow and unresponsive. i checked the task manager and the internet for solutions and found i had this file called 'IEXPLORE.EXE-2D97EBE6.pf' in my prefetch. im pretty sure its a trojan virus but i have no idea how to get rid of it because it keeps coming back after i reboot my computer. i used housecall, adaware - no nothing. the solutions on the web doesnt have the cure and symantec doesnt have it. im so stuck right now!
here's my logfile:
Logfile of HijackThis v1.99.0
Scan saved at 12:15:56 AM, on 5/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd. exe
C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.ex e
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\MUSICMATCH\Musicmatc h Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
c:\Program Files\Dell\Support\Alert\b in\NotifyA lert.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\wscntf y.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\Program Files\Spybot\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A 3539BD9E86 0} - C:\WINDOWS\addins\regexp.d ll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi n\jusched. exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.ex e
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatc h Jukebox\mmtask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM JPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PI NTLGNT\ImS cInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TI NTLGNT\TIN TSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TI NTLGNT\TIN TSETP.EXE /IMEName
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\swqjll .exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\msjava .dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\msjava .dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\System32\Shdocv w.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4 502d9a03c2 d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0 0105AA9B6A E} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E 099162EEEC 5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4 DFAD1796A8 D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtco ms.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC S\Sync\Net Svc.exe
here's my logfile:
Logfile of HijackThis v1.99.0
Scan saved at 12:15:56 AM, on 5/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.
C:\Program Files\Java\j2re1.4.2_03\bi
C:\Program Files\CyberLink\PowerDVD\D
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tf
C:\Program Files\Common Files\Dell\EUSW\Support.ex
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\MUSICMATCH\Musicmatc
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
c:\Program Files\Dell\Support\Alert\b
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\wscntf
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.ex
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatc
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IM
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PI
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TI
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TI
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\swqjll
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-0
O16 - DPF: {644E432F-49D3-41A1-8DD5-E
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {8E0D4DE5-3180-4024-A327-4
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtco
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
You also have a lot of extras running, which are not bad by themselves, but could be a burden on the system if it's slow or is low on memory.
Next time please use this auto-analysis site:
http://www.hijackthis.de/index.php?langselect=english
Your log analysis is here:
http://www.hijackthis.de/logfiles/3ed6afddb7c0c9aa7c86ca55ff19ca6d.html
Next time please post a LINK like this one rather than the log.
These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
(Description: Spyware installed by Kazaa.)
O4 - HKLM\..\Run: [CMESys] \"C:\Program Files\Common Files\CMEII\CMESys.exe\"
(Description: Part of Gator advertising spyware - see here for removal instructions )
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\swqjll
(Description: Added by the BACKDOOR.JUPDATE TROJAN! )
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
(Description: Gator spyware variant. See Gator )
The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\reals
(Description: RealPlayer scheduler. Completely unnecessary. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
(Description: Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. If you don't use WinAmp constantly, removing this entry will free up some system resources. )
Now:
1) Press the "Fix checked" button. Then close HijackThis.
2) Then reboot your computer.
3) Kazaa has installed spyware on your PC. Go to the Control Panel, Add/Remove programs. Uninstall Kazaa. Uninstall P2P Networking.
4) Delete the folder C:\Program Files\Common Files\CMEII\
5) Delete the file referenced in the "O4 - [JavaUpdate0.07]" entry of your log.
6) Delete the folder C:\Program Files\Common Files\GMT\
7) Empty your recycle bin.
8) Run Windows Update and install all critical updates.
9) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.
10) Reboot one last time. Your PC should now be free from spyware!
We suggest that you run HijackThis again, just to make sure that none of the entries that you removed suddenly reappeared. If they haven't, print out our HijackThis log and put it somewhere safe. You can refer to it later if your PC starts acting up.
Get rid of Kazaa or this won't stop.
Good luck,
Zee
ASKER
hey, my cpu memory was only like 5% a few days and now sometimes it pops up to 50% or more, so i wasnt thinking about the spyware since ive had it for more than a few days. i tried deleting the convexant camera but when i reboot it, it reinstalled itself along with something like pci communications, u??? half modem...and a few other programs.
this is my log
http://www.hijackthis.de/logfiles/0cfc847d2e50f53a3bb078bc3be7dd2a.html
this is my log
http://www.hijackthis.de/logfiles/0cfc847d2e50f53a3bb078bc3be7dd2a.html
ASKER
also i found a few p2pnetworking and gator files in my prefetcg. should i delete them?
they are:
GATORSTUBSETUP.EXE-39E31F8 A.pf
P2PNETWORKING.EXE-3470F776 .pf
P2PNETWORKINGP2P93.EXE0601 F618.pf
CMESYS.EXE-117633DE.pf
GMT.EXE-3182804d
they are:
GATORSTUBSETUP.EXE-39E31F8
P2PNETWORKING.EXE-3470F776
P2PNETWORKINGP2P93.EXE0601
CMESYS.EXE-117633DE.pf
GMT.EXE-3182804d
>also i found a few p2pnetworking and gator files in my prefetcg. should i delete them?
Yes, you can delete them though I don't think it really matters.
Is your computer more responsive now that you removed Gator and P2P?
Yes, you can delete them though I don't think it really matters.
Is your computer more responsive now that you removed Gator and P2P?
MUST DO:
Place HJT in its own folder, don'trun it from a temp folder or desktop as you will lose all backups, and they may be needed if you want to undo any erroneous fix.
Your HJT log doesn't look too bad now.
I would fix these:
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A
O20 - Winlogon Notify: regexp - C:\WINDOWS\addins\regexp.d
Zee
If you want to know what's eating up your resources use Process Explorer:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
Also worth trying is an online virus scanner (run at least 2 of them):
Panda ActiveScan
http://www.pandasoftware.com/activescan
Bitdefender
http://www.bitdefender.com/scan/Msie/index.php
McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp
Symantec Security Check
http://security.symantec.com/sscv6/
Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp
PcPitstop
http://pcpitstop.com/antivirus/default.asp
RAV
http://www.ravantivirus.com/scan/
Zee
ASKER
r-k, i wouldn't know if my windows is running faster now because it only screws up from time to time when im surfing on the net...
to zee, i suspected those files on my log too because i had the req.dat trojan virus, and they sorta look similar. but anyways, i couldn't delete
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A 3539BD9E86 0} - C:\WINDOWS\addins\regexp.d ll
O20 - Winlogon Notify: regexp - C:\WINDOWS\addins\regexp.d ll
to zee, i suspected those files on my log too because i had the req.dat trojan virus, and they sorta look similar. but anyways, i couldn't delete
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A
O20 - Winlogon Notify: regexp - C:\WINDOWS\addins\regexp.d
Download BHODemon:
http://www.majorgeeks.com/download3550.html
Run it and untick/de-activate the entry mentioning regexp.dll.
See if that does it. I believe it will.
If not, try KillBox:
http://www.downloads.subratam.org/KillBox.zip
Unzip it and launch.
Select "Delete on Reboot".
In "Full Path of File to Delete", type:
C:\WINDOWS\addins\regexp.d
Click the button with a red circle and white cross.
Close KillBox and reboot.
Good luck.
Zee
ASKER
ooh, ran virus scans on mcafee and symantec
mcafee:
C:\...\backup-20050502-174 911-600.dl l infected with Vundo
C:\...\backup-20050502-174 955-122.dl l infected with Vundo
C:\WINDOWS\ADDINS\regexp.d ll infected with Vundo
symantec:
C:\WINDOWS\ADDINS\regexp.d ll is infected with Adware.Adpopup
C:\Program Files\backups\backup-20050 320-013907 -810.dll is infected with Adware.P2PNetworking
C:\I386\MARSHAL.DLL is infected with Adware.P2PNetworking
C:\Documents and Settings\Jennifer Wong\Local Settings\Temp\backups\back up-2005050 2-174911-6 00.dll is infected with Adware.Adpopup
C:\Documents and Settings\Jennifer Wong\Local Settings\Temp\backups\back up-2005050 2-174955-1 22.dll is infected with Adware.Adpopup
ill go do what you said now
mcafee:
C:\...\backup-20050502-174
C:\...\backup-20050502-174
C:\WINDOWS\ADDINS\regexp.d
symantec:
C:\WINDOWS\ADDINS\regexp.d
C:\Program Files\backups\backup-20050
C:\I386\MARSHAL.DLL is infected with Adware.P2PNetworking
C:\Documents and Settings\Jennifer Wong\Local Settings\Temp\backups\back
C:\Documents and Settings\Jennifer Wong\Local Settings\Temp\backups\back
ill go do what you said now
And on your way, delete all temp folder contents, IE cache, etc..
You may try CCleaner:
http://www.ccleaner.com/
Zee
ASKER
should i use killbox to delete all the files that are infected as well?
ASKER
and i have one folder called "temp" another called "temporary Internet files" do i delete contents in both?
>>>
and i have one folder called "temp" another called "temporary Internet files" do i delete contents in both?
<<<
(1) For temp folder, delete the contents of:
c:\documents and folders\username\local settings\temp
(2) For Internet Cache, do it from within IE:
Tools -> Internet Options -> Delete Files -> Delete All Offline Content -> OK
and i have one folder called "temp" another called "temporary Internet files" do i delete contents in both?
<<<
(1) For temp folder, delete the contents of:
c:\documents and folders\username\local settings\temp
(2) For Internet Cache, do it from within IE:
Tools -> Internet Options -> Delete Files -> Delete All Offline Content -> OK
ASKER
couldn't delete ~DFA1FD.tmp and Perflib_Perfdata_764. should i use kill box to delete these files along with
C:\WINDOWS\ADDINS\regexp.d ll is infected with Adware.Adpopup
C:\Program Files\backups\backup-20050 320-013907 -810.dll is infected with Adware.P2PNetworking
C:\I386\MARSHAL.DLL is infected with Adware.P2PNetworking
C:\WINDOWS\ADDINS\regexp.d
C:\Program Files\backups\backup-20050
C:\I386\MARSHAL.DLL is infected with Adware.P2PNetworking
Don't worry about the couple of files that are "in use" in the Temp folder. just delete all the ones that you can.
Definitely do delete the other 3 files, which are known to be infected. Killbox should work on those three.
Definitely do delete the other 3 files, which are known to be infected. Killbox should work on those three.
ASKER
interestingly enough, regexp.dll is still here. shall i download moveonboot and see if it works?
ASKER
darn it, i ran moveonboot and its STILL there!
I am not familar with Moveonboot, but you could try it.
Else, boot in safe mode and see if you can just delete it directly (and empty the trash)
Alternately, if you have XP Pro, you can right-click on the file (regexp.dll), select Properties, then Security and remove all permissions for everyone (including System) to access that file. Then reboot, change permissions so you have permission to delete it, then delete it.
Else, boot in safe mode and see if you can just delete it directly (and empty the trash)
Alternately, if you have XP Pro, you can right-click on the file (regexp.dll), select Properties, then Security and remove all permissions for everyone (including System) to access that file. Then reboot, change permissions so you have permission to delete it, then delete it.
ASKER
um, i dont have the security tab, but im gonna reboot in safe mode and see if i can fix it. there's probably another file thats creating regexp.dll again and again
ASKER
ok, it didnt work. it says im currently using it
Here's a link on how to get the Security Tab to be visible:
http://windows.about.com/od/tipsarchive/l/bltip542.htm
When you try to change the permissions on that file, it may complain that it is "inheriting permissions from parent folder..". In that case click on the Advanced Button and in the next window un-check the box marked "Inherit permissions..." and then select the "Remove" button. That will remove all permissions.
http://windows.about.com/od/tipsarchive/l/bltip542.htm
When you try to change the permissions on that file, it may complain that it is "inheriting permissions from parent folder..". In that case click on the Advanced Button and in the next window un-check the box marked "Inherit permissions..." and then select the "Remove" button. That will remove all permissions.
ASKER
i dont have the option "use simple file sharing" and it shouldnt matter, since i can log on as admin, right?
>>>
i dont have the option "use simple file sharing".
<<<
You must have XP Home Edition. It's not easy to set permissions there.
Instead of changing permissions, you could try Dr. Delete to delete the offending file:
http://www.docsdownloads.com/Tier1/dr-delete.htm
If you do decide to dig into setting permissions in XP Home, see:
http://whoozoo.co.uk/winxpFilePerms.htm#4
i dont have the option "use simple file sharing".
<<<
You must have XP Home Edition. It's not easy to set permissions there.
Instead of changing permissions, you could try Dr. Delete to delete the offending file:
http://www.docsdownloads.com/Tier1/dr-delete.htm
If you do decide to dig into setting permissions in XP Home, see:
http://whoozoo.co.uk/winxpFilePerms.htm#4
Try starting in Safe Mode, turn off System Restore, and use Killbox to delete those persistent files.
Zee
And this is a way to do it:
http://castlecops.com/check24086previous.html
Not easy, but I believe it will work for you.
Zee
ASKER
my system restore has always been disabled,
1.so i use reglite to go to HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Windows\ \AppInit_D LLs
2.see if i have a hidden file?
3.copy the path of hidden file in "value"
4. change "windows" to "NOTWINDOWS" (edit and rename)
5. clear value in AppInit_DLLs
6. Rename "windows" back to "windows"
7 Start, run, type cmd, click ok
8. type in dir <path of file and filename in "value"> press enter (do i type dir?)
9. go to where the dll is, type attrib -r "nameofdll".dll (quotation marks excluded?)
10.Type del "nameofdll".dll
11.Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
Check the following two links for instructions on downloading and running the applications listed:
How to use Spybot to remove Spyware
How to use Ad-Aware to remove Spyware
Restart computer in safe mode (How do I boot into "Safe" mode?) and run these programs again, just to make sure all traces are gone.
Boot up pc as normal and you should be trouble free.
1.so i use reglite to go to HKEY_LOCAL_MACHINE\SOFTWAR
2.see if i have a hidden file?
3.copy the path of hidden file in "value"
4. change "windows" to "NOTWINDOWS" (edit and rename)
5. clear value in AppInit_DLLs
6. Rename "windows" back to "windows"
7 Start, run, type cmd, click ok
8. type in dir <path of file and filename in "value"> press enter (do i type dir?)
9. go to where the dll is, type attrib -r "nameofdll".dll (quotation marks excluded?)
10.Type del "nameofdll".dll
11.Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
Check the following two links for instructions on downloading and running the applications listed:
How to use Spybot to remove Spyware
How to use Ad-Aware to remove Spyware
Restart computer in safe mode (How do I boot into "Safe" mode?) and run these programs again, just to make sure all traces are gone.
Boot up pc as normal and you should be trouble free.
Yes.
ASKER
i have no value in appinit
ASKER
regexp wasnt detected on that program
Have you tried BHODemon as I suggested above:
http://www.majorgeeks.com/download3550.html
Run it and untick/de-activate the entry mentioning regexp.dll.
See if that does it.
And I'm running out of ideas.
Zee
Here's a suggestion in case you haven't tried this:
Start -> Run -> regedit (click on OK)
This starts the Registry editor.
In the left Window, expand the following tree:
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Explo rer\Browse r Helper Objects\
The right-click on the yellow icon labeled: {B8B55274-0F9A-41E5-9067-A 3539BD9E86 0}
and select "Delete"
Close Regedit and reboot. See if you can now delete the c:\windows\regexp.dll file.
Start -> Run -> regedit (click on OK)
This starts the Registry editor.
In the left Window, expand the following tree:
HKEY_LOCAL_MACHINE\Softwar
The right-click on the yellow icon labeled: {B8B55274-0F9A-41E5-9067-A
and select "Delete"
Close Regedit and reboot. See if you can now delete the c:\windows\regexp.dll file.
ASKER
zee, i have dl'ed BHOdemon and unticked regexp.dll but the file remains there (unchecked)
r-k, no luck in deleting redgexp after what you said yet...
r-k, no luck in deleting redgexp after what you said yet...
ASKER
crap, my C:\Program Files\backups\backup-20050 320-013907 -810.dll recreated itself
ASKER
i found a few files with the value regexp.dll in the registry. one is in the notify folder where all my other programs start up when i turn on my computer (i forgot the address to the notify folder and im having a hard time finding it) and the other one is
HKEY_CLASSES_ROOT\CLSID\{B 8B55274-0F 9A-41E5-90 67-A3539BD 9E860}\Inp rocServ\
HKEY_CLASSES_ROOT\CLSID\{B
OK, here's another suggestion:
Download Autoruns.exe from:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
When you run it, it shows a bunch of things that start automatically. Open the "View" menu and select everything between "Show Appinit Dlls" to "Hide Microsoft Entries",then select Refresh and it will give you a new list of startups.
Examine the list carefully and un-check anything that looks suspicious.
Then exit Autoruns and reboot.
Run Autoruns again and see if the things you unchecked earlier are still unchecked.
If they are, you should be able to delete the undesirable files.
Whether they are unchecked or not, you use the "Save as..." option in Autoruns to save that list to a text file and then cut and paste it here with Notepad or other text editor.
Download Autoruns.exe from:
http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
When you run it, it shows a bunch of things that start automatically. Open the "View" menu and select everything between "Show Appinit Dlls" to "Hide Microsoft Entries",then select Refresh and it will give you a new list of startups.
Examine the list carefully and un-check anything that looks suspicious.
Then exit Autoruns and reboot.
Run Autoruns again and see if the things you unchecked earlier are still unchecked.
If they are, you should be able to delete the undesirable files.
Whether they are unchecked or not, you use the "Save as..." option in Autoruns to save that list to a text file and then cut and paste it here with Notepad or other text editor.
>>>>
i found a few files with the value regexp.dll in the registry. one is in the notify folder where all my other programs start up when i turn on my computer (i forgot the address to the notify folder and im having a hard time finding it) and the other one is
HKEY_CLASSES_ROOT\CLSID\{B 8B55274-0F 9A-41E5-90 67-A3539BD 9E860}\Inp rocServ\
<<<<
That CLSID entry can be ignored assuming you were able to delete the "Browser Helper Objects" entry I mentioned in an earlier post, but you can also delete it for completeness.
If you found a reference to regexp.dll elsewhere in the Registy please post the full path that you found them in.
As you probably noticed, you can use Edit -> Find from the Regedit menu to search for all occurrences of regexp.dll anywhere in the registry.
i found a few files with the value regexp.dll in the registry. one is in the notify folder where all my other programs start up when i turn on my computer (i forgot the address to the notify folder and im having a hard time finding it) and the other one is
HKEY_CLASSES_ROOT\CLSID\{B
<<<<
That CLSID entry can be ignored assuming you were able to delete the "Browser Helper Objects" entry I mentioned in an earlier post, but you can also delete it for completeness.
If you found a reference to regexp.dll elsewhere in the Registy please post the full path that you found them in.
As you probably noticed, you can use Edit -> Find from the Regedit menu to search for all occurrences of regexp.dll anywhere in the registry.
ASKER
i dont know why but i cant find the entry now. it was located in a folder called notify
i also thought of a way to delete the virus. last time i had a virus and i had to go into safe mode to change the programs which opens up when i start my computer. maybe i can uncheck regexp.dll from there. ill try to find where it is as i forgot
i also thought of a way to delete the virus. last time i had a virus and i had to go into safe mode to change the programs which opens up when i start my computer. maybe i can uncheck regexp.dll from there. ill try to find where it is as i forgot
I think the problem is in the registry as r-k is suggesting but it has to do with the
HKEY_LOCAL_MACHINE\SOFTWAR
entry.
I just don't understand, yet, why you can't find it with RegLite.
Zee
ASKER
oh yea, thanks, i found the notify folder:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Winlogon \Notify
there's a folder called regexp there
HKEY_LOCAL_MACHINE\SOFTWAR
there's a folder called regexp there
You can either run Autoruns (see above for description) and disable the key there, then reboot and see if stays disabled, OR, you can go ahead and delete that key in regedit, reboot and check if the key stays deleted.
If successfull, you can then delete the regexp.dll file itself.
If successfull, you can then delete the regexp.dll file itself.
ASKER
it recreated itself. in the regexp folder there are 6 files
Name Data Type Size
(default) (Value not set)
Asynchronous 1 (0x01) REG_DWORD 4
DllName C:\\WINDOWS\addins\regexp. dll REG_SZ 29
Impersonate 0 (0x00) REG_DWORD 4
Logoff SysLogoff REG_SZ 10
Startup SysLogon REG_SZ 9
should i just delete the whole file?
Name Data Type Size
(default) (Value not set)
Asynchronous 1 (0x01) REG_DWORD 4
DllName C:\\WINDOWS\addins\regexp.
Impersonate 0 (0x00) REG_DWORD 4
Logoff SysLogoff REG_SZ 10
Startup SysLogon REG_SZ 9
should i just delete the whole file?
>>>should i just delete the whole file?
Yes, in Regedit, delete the whole folder (yellow icon) in the left-window by right-clicking on it selecting Delete.
Something else may be recreating it though. If the above doesn't fix it, please open a command window, and type:
> tasklist /svc > list.txt
this will save a list of running jobs in a file named list.txt
Use notepad to cut and paste the contents of that file here. may give us a clue about what's running.
Yes, in Regedit, delete the whole folder (yellow icon) in the left-window by right-clicking on it selecting Delete.
Something else may be recreating it though. If the above doesn't fix it, please open a command window, and type:
> tasklist /svc > list.txt
this will save a list of running jobs in a file named list.txt
Use notepad to cut and paste the contents of that file here. may give us a clue about what's running.
ASKER
how do i open a command window?
>>how do i open a command window?
Start -> Run
then type in CMD in the small dialog and click on OK.
It looks like an old-style DOS window.
Start -> Run
then type in CMD in the small dialog and click on OK.
It looks like an old-style DOS window.
ASKER
it says tasklist is not recognized as an external or internal command
ASKER
i have xp home
ASKER
downloaded tasklist, and opened it in winzip but the black ms dos window appears for a split second, is it normal?
ASKER
i guess this is it:
Image Name PID Services
========================= ====== ========================== ========== =========
System Idle Process 0 N/A
System 4 N/A
smss.exe 552 N/A
csrss.exe 600 N/A
winlogon.exe 624 N/A
services.exe 668 Eventlog, PlugPlay
lsass.exe 680 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 868 DcomLaunch, TermService
svchost.exe 936 RpcSs
svchost.exe 1032 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
EventSystem, FastUserSwitchingCompatibi lity,
helpsvc, lanmanserver, lanmanworkstation,
Netman, Nla, RasMan, seclogon, SENS,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, w32time, winmgmt, wscsvc,
wuauserv, WZCSVC
svchost.exe 1156 Dnscache
svchost.exe 1224 LmHosts, SSDPSRV, WebClient
spoolsv.exe 1352 Spooler
explorer.exe 1612 N/A
DVDLauncher.exe 1724 N/A
PCMService.exe 1736 N/A
tfswctrl.exe 1752 N/A
Support.exe 1780 N/A
dlbtbmgr.exe 1788 N/A
dlbtbmon.exe 1820 N/A
winampa.exe 1856 N/A
NotifyAlert.exe 1864 N/A
msnmsgr.exe 1872 N/A
MDM.EXE 416 MDM
svchost.exe 496 stisvc
wscntfy.exe 2460 N/A
iexplore.exe 3056 N/A
iexplore.exe 132 N/A
cmd.exe 2436 N/A
tasklist.exe 2896 N/A
wmiprvse.exe 3212 N/A
Image Name PID Services
========================= ====== ==========================
System Idle Process 0 N/A
System 4 N/A
smss.exe 552 N/A
csrss.exe 600 N/A
winlogon.exe 624 N/A
services.exe 668 Eventlog, PlugPlay
lsass.exe 680 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 868 DcomLaunch, TermService
svchost.exe 936 RpcSs
svchost.exe 1032 AudioSrv, BITS, CryptSvc, Dhcp, ERSvc,
EventSystem, FastUserSwitchingCompatibi
helpsvc, lanmanserver, lanmanworkstation,
Netman, Nla, RasMan, seclogon, SENS,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, w32time, winmgmt, wscsvc,
wuauserv, WZCSVC
svchost.exe 1156 Dnscache
svchost.exe 1224 LmHosts, SSDPSRV, WebClient
spoolsv.exe 1352 Spooler
explorer.exe 1612 N/A
DVDLauncher.exe 1724 N/A
PCMService.exe 1736 N/A
tfswctrl.exe 1752 N/A
Support.exe 1780 N/A
dlbtbmgr.exe 1788 N/A
dlbtbmon.exe 1820 N/A
winampa.exe 1856 N/A
NotifyAlert.exe 1864 N/A
msnmsgr.exe 1872 N/A
MDM.EXE 416 MDM
svchost.exe 496 stisvc
wscntfy.exe 2460 N/A
iexplore.exe 3056 N/A
iexplore.exe 132 N/A
cmd.exe 2436 N/A
tasklist.exe 2896 N/A
wmiprvse.exe 3212 N/A
ASKER
C:\WINDOWS\ADDINS\regexp.d ll is infected with Adware.Adpopup
C:\Program Files\backups\backup-20050 503-172824 -220.dll is infected with Adware.Adpopup
C:\Program Files\backups\backup-20050 503-172928 -604.dll is infected with Adware.Adpopup
the 2 backup files recreated themselves.
C:\Program Files\backups\backup-20050
C:\Program Files\backups\backup-20050
the 2 backup files recreated themselves.
Jollyhunter,
Here is what I recommend:
Change the permissions on those three files so that no one can access them, then reboot, then change the permissions back one by one and delete all three files.
Here is how you can change permissions in XP Home Edition:
(1) Reboot in safe mode
(2) Right-click on the file (e.g. regexp.dll) in Windows Explorer
Select "Properties", then the "Security" tab
Click on "Advanced", then un-check the box that reads "inherit permissions..."
When a dialog box pops up, click on "Remove"
This will remove all permissions for that file.
(3) Repeat for all three files.
Then reboot in safe mode again.
Then change permissions as follows so you can delete the files:
Right-click on file in Windows Explorer, Properties->Security
Then click on "Add" and enter in your own username, then "OK"
Then check the box labeled "Full Control"
After that you can delete the file (and empty the trash)
Repeat for other two files
Reboot in normal mode, and at least that infection should be gone.
(I hope)
Here is what I recommend:
Change the permissions on those three files so that no one can access them, then reboot, then change the permissions back one by one and delete all three files.
Here is how you can change permissions in XP Home Edition:
(1) Reboot in safe mode
(2) Right-click on the file (e.g. regexp.dll) in Windows Explorer
Select "Properties", then the "Security" tab
Click on "Advanced", then un-check the box that reads "inherit permissions..."
When a dialog box pops up, click on "Remove"
This will remove all permissions for that file.
(3) Repeat for all three files.
Then reboot in safe mode again.
Then change permissions as follows so you can delete the files:
Right-click on file in Windows Explorer, Properties->Security
Then click on "Add" and enter in your own username, then "OK"
Then check the box labeled "Full Control"
After that you can delete the file (and empty the trash)
Repeat for other two files
Reboot in normal mode, and at least that infection should be gone.
(I hope)
The problem is that they are recreated upon reboot from within the registry.
Zee
ASKER
yes, i know blue_zee.
yesterday i used reglite to and changed the browser helper file below to "NOTBrowser Helper objects"
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Explo rer\Browse r Helper Objects\{B8B55274-0F9A-41E 5-9067-A35 39BD9E860}
and i changed the key Notify to "NotNotify"
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Winlogon \Notify\re gexp
before i did that when i deleted the 2 keys, {B8B55274-0F9A-41E5-9067-A 3539BD9E86 0} and regexp, they would appear immediately afterwards. but when i did that, they did not appear (obviously because they were programmed to only be created in those folders)
so when i rebooted, a new Browser Helper Object file recreated itself along with {B8B55274-0F9A-41E5-9067-A 3539BD9E86 0} only and a new Notify folder was recreated with the key regexp. the backup files i deleted earlier also managed to recreate themselves.
C:\Program Files\backups\backup-20050 503-172824 -220.dll is infected with Adware.Adpopup
C:\Program Files\backups\backup-20050 503-172928 -604.dll is infected with Adware.Adpopup
now we just need to find out what the main file creating both of them is, or could be that both of them are programmed to created the other if destroyed.
yesterday i used reglite to and changed the browser helper file below to "NOTBrowser Helper objects"
HKEY_LOCAL_MACHINE\Softwar
and i changed the key Notify to "NotNotify"
HKEY_LOCAL_MACHINE\SOFTWAR
before i did that when i deleted the 2 keys, {B8B55274-0F9A-41E5-9067-A
so when i rebooted, a new Browser Helper Object file recreated itself along with {B8B55274-0F9A-41E5-9067-A
C:\Program Files\backups\backup-20050
C:\Program Files\backups\backup-20050
now we just need to find out what the main file creating both of them is, or could be that both of them are programmed to created the other if destroyed.
The solution should be around the AppInit_DLL.
I just don't know why you can't find it. There was one other question where I was helping that also didn't manage to find it in the registry.
On that one Adware Away cleaned it with a couple of clicks and a reboot (a different nasty).
But it seems you don't manage to install that tool.
Perhaps worth retrying.
Zee
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
you're right r-k, it is very effective. i think i've deleted the 3 files. thanks r-k
Whew, glad you got rid of those three! Thanks for the feedback.
As a guess, probably what was happening was that the malware was re-creating those Registry entries that you kept deleting. Now that you deleted the files, you should be able to delete the offending Registry entries, and they should stay deleted. It probably doesn't matter too much whether you do this extra step or not, because the files themselves are gone.
Good luck.
As a guess, probably what was happening was that the malware was re-creating those Registry entries that you kept deleting. Now that you deleted the files, you should be able to delete the offending Registry entries, and they should stay deleted. It probably doesn't matter too much whether you do this extra step or not, because the files themselves are gone.
Good luck.
At a quick glance, the only problem I can see in your log is that you have Gator adware/spyware running, which you should probably remove. In particular the programs gmt.exe and cmesys.exe and all references to those. There might be something in the Control Panel -> Add/Remove that you can use, else remove them manually from where they are starting.
Also run you HJT log through the automated online analysis to see if there is anything else I missed.