Please help. Multiple "IEXPLORE.EXE" showing up in my Task Manager

[HOBBAM]

I could really use some help and any help would definitely be appreciated.

I run a very clean dell desktop 8400 (meaning I run 3 types of security programs Norton, Ad-Aware Se, Spybot, and am very careful about what I view, etc)

I've been having though some problems with my Norton Internet Security 05. The Anti-Virus kept disabling, to which I would have to enable it.

Well last week, it did it again, only I couldn't enable it, to which it said that I would have to reinstall Norton Anti Virus again. Only I couldn't. I had to download some program from Norton to uninstall the problem Norton parts, to which it uninstalled Norton all together.

I reinstalled it and there was a section to which during the install you would select the programs, but it didn't come up. So I had to do it manually which was a bit odd, because there was a confliction. Norton ran fine then after setup. After that, I was prompted by Windows Update to install the new security patches, which I did.

Everything was fine until the next day through now, where everytime after booting my computer and getting to the desktop (after fully loading); when I would click on IE or go to My Documents or almost anything, a second later the window would become "INACTIVE" and I would have to click on it to become ACTIVE again. After a couple minutes that would stop.


However, I would CTRL + ALT + DEL to bring up the Manager and see that I would have 8 or so "IEXPLORE.EXE" going where there were none or where there would be only one going, but not 8. I also noticed now the same thing for "qttask.exe"

I should note that after the reinstall of Norton, when I went to ITUNES, it told me I had to reinstall if I wanted to use the import or burn option for the cd.

HOWEVER, I ran SPYBOT after downloading the new updates and it did detect to problem Windows files that may have been connected to the patches. Spybot fixed them.

But the problem still persisted.

I looked around and some people who were experiencing the same problems have said it's possible Malware or something. One indicator is if the "IEXPLORE.EXE" is in the WINDOWS or System Folder, which it's not. I did a search and "IEXPLORE.EXE" only came up in the Program Folder for Internet Explorer and there was a file in the Windows Prefetch.

I really have no idea what to do here. I don't know whether it's Norton, and whether I should try to fully uninstall it and try to install the 06 version and see if the same issues come up, or what.

I downloaded HijackThis and ran a scan and saved a logfile. I would be more than glad to put it up, if someone really knows their stuff and could see what the issue might be, and could offer some help on the issue.

But I wanted to see if what I said above concerning Norton or whatever could've been an issue.

 

[l3lasphemer]

Definitely some kind of virus or malware.

Well my first suggestion would be to scrap Norton all together and go with something else. I clean out virus' and spyware daily at work (constitutes roughly 80% or our business) and have seen norton corrupted and even taken over by virus'. We use AVG Free Edition for our anti-virus and have had very few problems with it (as the name suggests it is a free program with no subscription costs)

linkie: http://free.grisoft.com/doc/5390/lng/us/tpl/v5
download the install file, install and make sure to run all the updates.

Spybot and Adaware SE work great for 2ndary spyware programs, I would recommend Ewido Anti-Spyware, a2 anti-spyware, webroot Spysweeper. You can download the 30 day trial and use it to clean up your computer, just remember to uninstall it if you don't want to buy it. You can get the install for Ewido from the AVG website, a2 and spysweeper are easily found with a Google search.

Hope this helps.

Missed the part about the log for hijack this, post it up and I can rummage through it.

 

[HOBBAM]

Definitely some kind of virus or malware.

Well my first suggestion would be to scrap Norton all together and go with something else. I clean out virus' and spyware daily at work (constitutes roughly 80% or our business) and have seen norton corrupted and even taken over by virus'. We use AVG Free Edition for our anti-virus and have had very few problems with it (as the name suggests it is a free program with no subscription costs)

linkie: http://free.grisoft.com/doc/5390/lng/us/tpl/v5
download the install file, install and make sure to run all the updates.

Spybot and Adaware SE work great for 2ndary spyware programs, I would recommend Ewido Anti-Spyware, a2 anti-spyware, webroot Spysweeper. You can download the 30 day trial and use it to clean up your computer, just remember to uninstall it if you don't want to buy it. You can get the install for Ewido from the AVG website, a2 and spysweeper are easily found with a Google search.

Hope this helps.

Missed the part about the log for hijack this, post it up and I can rummage through it.

Thank you for responding.

I'll post the log in a second.

Could you please post an official direct link to download Ewido Anti-Spyware and webroot Spysweeper?

Thanks.

 

[HOBBAM]

Just looking at this log or the circumstances, what should I not be doing. Obviously not accessing any important personal information, which I haven't, but if one could tell me things not to do during this time, like continuing to boot up the computer each time mihgt make it worse. I'll try to either fix it or get it into someone who can, but I was just curious as for right now.

Here is the log.


Logfile of HijackThis v1.99.1
Scan saved at 1:53:32 PM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\UpdReg.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HOBBE5\My Documents\Unzipped\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239862687
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

 

[l3lasphemer]

Linkie for Ewido: http://www.grisoft.com/doc/Programs/lng/us/tpl/tpl01
scroll all the way to the bottom.

Linkie for Spysweeper: www.webroot.com
click the free scan now and it should take you to a download link

A good tip for Ewido and AVG, install them, run the updates and reboot into safe mode to do the actual scan, they find more stuff that way and there isn't anything loaded in memory to prevent it from being removed or quarantined.

 

[HOBBAM]

Linkie for Ewido: http://www.grisoft.com/doc/Programs/lng/us/tpl/tpl01
scroll all the way to the bottom.

Linkie for Spysweeper: www.webroot.com
click the free scan now and it should take you to a download link

A good tip for Ewido and AVG, install them, run the updates and reboot into safe mode to do the actual scan, they find more stuff that way and there isn't anything loaded in memory to prevent it from being removed or quarantined.

I just download Ewido. Should I do that first, and based on what you said, I'm sorry, but how exactly do I run it. I don't do much in safe mode.

I install Ewido
Run updates and all that.
Reboot.

Then what?

 

[l3lasphemer]

I have marked cetain entries with DELETE (check them in hijack this to be removed) and hit fix checked. I had to view it in word to get a good look at everything you had listed. A good rule of thumb here is that if the entry is for a legit program like Norton, Adobe, etc. it is ok to keep unless you have uninstalled said program and it still lists entries. Here also in the hijack this log it gives you a good idea of the amount of resources that Norton takes up while it is running on the computer. Which is another reason why I get rid of it and use AVG.

Also something you should do is to delete all temporary internet files and cookies. Go to the temp folder under the windows directory and delete everything there as well as the temp folder located in local settings under documents and settings (local settings folder is defaulted to a hidden folder, you can change your view in folder options to view hidden files and folders)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
DELETE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
DELETE R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
DELETE O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
DELETE O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
DELETE O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
DELETE O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
DELETE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
DELETE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
DELETE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
DELETE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
DELETE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1131239862687
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

 

[l3lasphemer]

I just download Ewido. Should I do that first, and based on what you said, I'm sorry, but how exactly do I run it. I don't do much in safe mode.

I install Ewido
Run updates and all that.
Reboot.

Then what?

Do the install and updating in regular mode after you download it. After the updates are done, reboot into safe mode and log in to either administrator or you account with admin rights. The icon should be on the desktop, just dbl-click to open Ewido, go over to the scanning tab and hit complete system scan.

 

[HOBBAM]

Do the install and updating in regular mode after you download it. After the updates are done, reboot into safe mode and log in to either administrator or you account with admin rights. The icon should be on the desktop, just dbl-click to open Ewido, go over to the scanning tab and hit complete system scan.

I'm on my other computer right now as EWIDO is running on the infected desktop computer.



It's already picked up two BIG things, with 285 infected files.

*Downloader.Agent.asl--------HIGH---------284 trace files detected

*Adware.Minibug---------------MEDIUM-------1 trace located


It just finished scanning.

Since I've never used the program before, now that the scan is complete and showing those 2 THREATS, how do I go about removing them? Do I click on Quarantine and have it quarantined or DELETE?



Also, if I do delete them, should I do another scan again to see if anything comes up. Then should I shut down and see if those earlier problems come up.

And also concerning the Hijack this log, should I wait and see if the problem is fixed before running HIJACKTHIS again and fix or remove those files you selected?

Sorry to flood you with all that, just wanted to get everything in. I REALLY APPRECIATE ALL YOUR HELP ON THIS.

 

[HOBBAM]

Here are the files you asking me to delete: If you don't mind, could I ask the reasons I should delete these files, if it's not too much trouble. There are a couple that look important or part of program files, like the Symantec one.


- DELETE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html


- DELETE R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll


- DELETE O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll


- DELETE O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll


- DELETE O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


- DELETE O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper


- DELETE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE


- DELETE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe


- DELETE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


- DELETE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


- DELETE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

 

[l3lasphemer]

Here are the files you asking me to delete: If you don't mind, could I ask the reasons I should delete these files, if it's not too much trouble. There are a couple that look important or part of program files, like the Symantec one.


- DELETE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
This is a browser hijacker, can redirect your homepage, and possibly prevent internet access


- DELETE R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
This is a browser hijacker, can redirect your homepage, and possibly prevent internet access


- DELETE O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
This is a browser hijacker, can redirect your homepage, and possibly prevent internet access


- DELETE O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
A BHO is a browser helper object, commonly called a toolbar. There is really no use for these at all unless you are running windows 98 and use the yahoo toolbar for a popup blocker. Uses extra resources when IE is launched


- DELETE O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
Pointless entry, best to delete


- DELETE O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
This is a .dll that is a library for some kind of spyware, not sure which one, but I have seen this file many times

- DELETE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
This .exe is can be used to install ads and popups into your registry

- DELETE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
This .exe is can be used to install ads and popups into your registry


- DELETE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
This refers to an outdated program file, probably something you have uninstalled recently

- DELETE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
No point to have this unless you use Real Player, it is an updater that loads at windows startup and checks for news and updates from Real Player, uses extra system resources.

- DELETE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
doh, I missed the Symantec part of this entry, ignore this one sorry

Hope these help.

 

[l3lasphemer]

I'm on my other computer right now as EWIDO is running on the infected desktop computer.



It's already picked up two BIG things, with 285 infected files.

*Downloader.Agent.asl--------HIGH---------284 trace files detected

*Adware.Minibug---------------MEDIUM-------1 trace located


It just finished scanning.

Since I've never used the program before, now that the scan is complete and showing those 2 THREATS, how do I go about removing them? Do I click on Quarantine and have it quarantined or DELETE?

Also, if I do delete them, should I do another scan again to see if anything comes up. Then should I shut down and see if those earlier problems come up.

And also concerning the Hijack this log, should I wait and see if the problem is fixed before running HIJACKTHIS again and fix or remove those files you selected?

Sorry to flood you with all that, just wanted to get everything in. I REALLY APPRECIATE ALL YOUR HELP ON THIS.

sorry it took so long to respond, had to get some grub.

Ok after ewido is finished it wil have everything it finds in the box on the left, down under that box is an option that lets you determine what you want to do with those files, quarantine, delete etc. I normally just select delete and under that box is button that says apply all actions. Hit that and it will do whatever you said in the previous box. Now during the delete if any of these files are archivies it will ask you if you are sure you want to delete, YES - to all hehe. After that is done, I usually run a virus scan with AVG while still in safe mode and delete/quarintine anything it finds.

You can also run Spybot and Adaware in safe mode after ewido to pick up any remaining trace elements. After that is done, you can restart back to normal mode and run a quick check with ewido and avg to see if it picks up anything else.

Also here is a link to a webpage that contains many helpful hints and tips for general cleaning of malware (virus and spyware).
linkie: http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

[HOBBAM]

Hope these help.

OK.

So, when I bring up HijackThis, and I want to remove those first 10 that I listed from your listed to delete....how do I go about it?

Do I click "system scan and save logfile", then when it brings up the list, do I find the ones that use listed, PUT A CHECK IN THE BOX NEXT TO THEM, and then click "FIX CHECKED" to what I'm assuming will delete the files?

 

[l3lasphemer]

You got it, just make sure to put a check in teh box only by those i suggested. after that hit fix checked and it will go through the list and delete them, after it is done you can click on scan again to see if they are gone.

If they are stubborn and stay there, there is likely some spyware or a virus still somewhere.

Added note, I just read up on the multiple iexplore.exe virus it relates to this "Trojan-Downloader.Win32.Small.acp"
or "Trojan-Dropper.Win32.Small.nz".

The most successful spyware program to use to remove it is a squared
linkie: http://www.emsisoft.com/en/software/download/
one thing I have heard about this one is that it sometimes picks up p2p programs like limewire and kazaa and calls them spyware, so if you use either of those you can probably ignore that.

 

[HOBBAM]

sorry it took so long to respond, had to get some grub.

Ok after ewido is finished it wil have everything it finds in the box on the left, down under that box is an option that lets you determine what you want to do with those files, quarantine, delete etc. I normally just select delete and under that box is button that says apply all actions. Hit that and it will do whatever you said in the previous box. Now during the delete if any of these files are archivies it will ask you if you are sure you want to delete, YES - to all hehe. After that is done, I usually run a virus scan with AVG while still in safe mode and delete/quarintine anything it finds.

You can also run Spybot and Adaware in safe mode after ewido to pick up any remaining trace elements. After that is done, you can restart back to normal mode and run a quick check with ewido and avg to see if it picks up anything else.

Also here is a link to a webpage that contains many helpful hints and tips for general cleaning of malware (virus and spyware).
linkie: http://www.elephantboycomputers.com/page2.html#Removing_Malware

That's ok, I appreciate you coming back to help and answer the questions.

Couple of near-final things.

1. After Ewido did the scan and brought up those 2 big Threats with the 285 traced infected files, I DELETED THEM....then did another scan which Ewido then showed that my computer was ok.

2. You had mentioned doing this in Safe-mode. Now, I know how to access safe-mode through Win98, but with XP v2 that I have now, I don't know how to do it.

What happened was that I installed Ewido, downloaded the updates, rebooted, but it went into normal mode, but Ewido automatically came up and told me myself system was infected with that "Downloader.Agent.asl" to which then I started to do the scan and after, did what I did in #1.

Was I suppose to do it different, and if so, could you tell me how to check to Safe-Mode in XP, and run Ewido.


3. After running Ewido, it took some files and put them in the quarantine. It says "the objects in quarantine are encrypted and can do no harm to your computer"

I don't know whether I should keep them there, delete them, or restore them now, because as it says they pose no harm....

yet next to each origin object it says that object is infected with Downloader.Agent.asl and the risk is high.


Three Examples:

C:\Program Files\ITunes\ITunesHelper.exe ----Infected with Downloader.Agent.asl--Risk High


C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe ------Infected with Downloader.Agent.asl ----Risk High

C:\Program Files\Cyberlink\PowerDVD\DVDLauncher.exe

I can remove Itunes, since I have to do it anyways, but with the Intel application accelerator, should I leave it in quarantine or remove it. I had to download it last year to fix an issue concerning my system. So I don't know if removing it will cause permanent damage or not.

Main thing I guess, is what should I do with those files?

 

[l3lasphemer]

You get to safe mode in xp the same way by hitting F8, you just got to time it right, easy way is to start hitting it right after your manufacturers page goes off.

As for the files in quarantine I would say go ahead and delete them. Now for the Intel Accelerator I would say leave it quarantined and download the file again, after you download it, go ahead and delete the other one from the quarantine and reinstall the new one.

As for itunes it is easily downloaded again, I would say chunk the infected one for a fresh copy.

 

[HOBBAM]

You get to safe mode in xp the same way by hitting F8, you just got to time it right, easy way is to start hitting it right after your manufacturers page goes off.

As for the files in quarantine I would say go ahead and delete them. Now for the Intel Accelerator I would say leave it quarantined and download the file again, after you download it, go ahead and delete the other one from the quarantine and reinstall the new one.

As for itunes it is easily downloaded again, I would say chunk the infected one for a fresh copy.

Ok, I will try it.

As for the quarantine files, is it saying that they are infected but pose no threat, but still could, or that the files are damaged? If I restore them what would happen?

For Intel though, I still have the setup file, if you will, for it, but it was from last year. Should I use that setup file to install a new version of the same file onto my computer or go online to download the newest version, to which I'm not sure of, at this point?


Here's a list though of the files that are quarantined... The ones with the asterisks are the ones I'm mainly concerned about, and didn't know if I restored them, what would happen, like if there is some small part of the virus still attached or something.

I gotta go soon, but.....If you could just take a look below at these from the Ewido Quarantine and tell me what you think, I would appreciate it. LASTLY, if you could maybe check back later tomorrow I'll be finished with the other scans and stuff and let you know how it all went. AGAIN, I REALLY APPRECIATE ALL THE HELP ON THIS. THANKS.

- Program Files\Messenger\msmsgs.exe (dont use any messenger, but don't know what it is, or if it's important)

- Program Files\Quicktime\qttask.exe

- Program Files\Itunes\iTunesHelper.exe (like qt can be removed an updated with lastest version)

- Program Files\Common Files\Real\Update_OB\realsched.exe

- Program Files\Dell Support\DSAgnt.exe

- Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe (dont need, will remove)

- Program Files\Linksys Wireless G USB monitor\InvokeSvc.exe (can remove and reinstall)

* Windows\system32\dla\tfswctrl.exe (don't know about this one)

* Program Files\Cyberlink\Powerdvd\DVDLauncher.exe

- Program Files\Creative\Sound Blaster Live 24bit\Surrond Mixer\CTSysvol.exe

- Program Files\Java\j2re1.4.2_03\bin\jusched.exe

- Program Files\Common Files\Sonic\Update Manager\sgtray.exe

* Windows\UpdReg.EXE

* Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Biggest Concern)

* Program Files\Intel\Intel Application Accelerator\iaanotif.exe (Biggest Concern

 

[HOBBAM]

l3lasphemer


Just wanted to let you know that I did the scans in SAFE MODE in both Admin and my Personal Account (just in case) and no spyware or anything showed up, which I guess is good. Also ran ad-aware and spybot as well and they said I didn't have any viruses.

Also did scans again in normal mode with the various programs and they showed I had viruses or threats.


As far as Ewido goes.

Those 10 or so files that are quarantined, that I listed above.

I "Remove Finally" some of those files in the Quarantine section of Ewido.

For the rest of them, I went to find where they were. I ended up finding the files in a "BAK" folder, which I'm assuming means "BACKUP" and Ewido or another program did that to, what I believe, protect those files.

I don't know though if Ewido took those files though and put them in the "BAK" folder in the location they would be at, to QUARANTINE them or not.

I have a friend who has a "clean" Dell, almost exactly like mine, and copied the exact same files that I had in quarantine, onto a flash stick, and was going to replace them after I "REMOVE FINALLY" those files in quarantine.

HOWEVER, when I deleted those files in Ewido, I went back into the location of where the file was, thinking that the BAK or file would be deleted, but it wasn't.


What I did was copy the file in the BAK folder (after using Ewido to scan the file to see if it was infected, which it wasn't) and deleted the folder, then pasted it back into where it was suppose to be.

I then did the same for the rest of them, with the exception of the Itunes files.


Did I do the right thing concerning that issue?

 

[l3lasphemer]

As long as the original files are clean of any kind of virus or spyware, there should be no problem with returning them to their original location. Seems like you got it done.

Great Job!!