Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: I think im infected  (Read 6558 times)

0 Members and 1 Guest are viewing this topic.

Medman

  • Guest
I think im infected
« on: April 03, 2007, 08:55:03 AM »
So, ive got AVG virus and spyware, Asquared, Adaware SE, Spybot and Sygate for my protections.  I also run Killbox, Ccleaner, and Emprunner to keep stuff clean, but i think my comp got a bug. Im run windows xp on a Sony Vaio.

Symptoms: When i shut down computer i get a warning sign that says a program must be terminated. THIs program is Iexploere.exe.  I checked that program at Bleepingcomputer.com and they said it was bad.

Also, when i rebooted my comp the system did a scandisk thing on a file called Fat32.exe which also is labeled as bad at bleepingcomputer.com.

I have run my protection programs and none of them have found anything.  If these programs are indeed bad, how do i get rid of them? I have Hijackthis downloaded but have never used it, but let me know if you need me to post one. Thanks.

soybean



    Genius
  • The first soybean ever to learn the computer.
  • Thanked: 469
  • Computer: Specs
  • Experience: Experienced
  • OS: Windows 10
Re: I think im infected
« Reply #1 on: April 03, 2007, 10:00:29 AM »
I think you mean Iexplore.exe, not Iexploere.exe.  Iexplore.exe is Internet Explorer so that's not a bad file.  Can you cite the page you mentioned that says it's bad?

Fat32.exe, on the other hand, does appear to be an evil one.  Can you run a HijackThis report and post it?
« Last Edit: April 03, 2007, 10:19:36 AM by soybean »

oddjob

  • Moderator


  • Hopeful

    Thanked: 4
    • Experience: Beginner
    • OS: Windows 7
    Re: I think im infected
    « Reply #2 on: April 03, 2007, 10:04:35 AM »
    Make sure you have exposed all Hidden Files & Folders.
     
    To enable the viewing of Hidden files follow these steps:
     
       1. Close all programs so that you are at your desktop.
       2. Double-click on the My Computer icon.
       3. Select the Tools menu and click Folder Options.
       4. After the new window appears select the View tab.
       5. Put a checkmark in the checkbox labeled Display the contents of system folders.
       6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
       7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
       8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
       9. Press the Apply button and then the OK button and close My Computer.
     
    ***********************

    Please unzip/extract that HJT file to a permanent location such as your C: drive so you have this ...

    C:\Program Files\HijackThis

    Go to the folder and rename the hijackthis.exe file to medmanhijackthis.exe ...

    Run the medmanhijackthis.exe file ...

    From the menu click on "Do a system scan and save a logfile".

    Copy and paste both the HJT logfile to this thread. More specific removal instructions will follow for whatever it is that's causing the problem.



    OJ

    soybean



      Genius
    • The first soybean ever to learn the computer.
    • Thanked: 469
    • Computer: Specs
    • Experience: Experienced
    • OS: Windows 10
    Re: I think im infected
    « Reply #3 on: April 03, 2007, 10:21:29 AM »
    OJ, why the renaming procedure?

    patio

    • Moderator


    • Genius
    • Maud' Dib
    • Thanked: 1686
      • Yes
    • Experience: Beginner
    • OS: Windows 7
    Re: I think im infected
    « Reply #4 on: April 03, 2007, 10:39:54 AM »
    Hijack This can be attacked by malware and give false info...
       
     
    " Anyone who goes to a psychiatrist should have his head examined. "

    oddjob

    • Moderator


    • Hopeful

      Thanked: 4
      • Experience: Beginner
      • OS: Windows 7
      Re: I think im infected
      « Reply #5 on: April 03, 2007, 10:45:47 AM »
      Malware sometimes changes names of legit files so they slip by unnoticed. Example ... the W32/Agobot-S virus renames svchost to scvhost. Check the spelling.

      This looks like one of this occasions.

      You correctly say that iexplore.exe is valid but Medman spells it differently and that indicates malware.

      Also this particular file corruption can be linked with the smitfraud infection amongst others.

      At this stage we don't know how much malware is on Medman's computer and I want to expose as much of it as I can straight away.

      There is a version of Vundo malware that hides if it knows HJT is scanning. It will not appear in a HJT log. The way round this is to rename the HJT executable. If present, that version of Vundo will then appear in the log.

      Hope that helps. ;D


      OJ

      Medman

      • Guest
      Re: I think im infected
      « Reply #6 on: April 03, 2007, 10:51:25 AM »
      http://www.bleepingcomputer.com/startups/

      thats what says its bad, and yes its iexplore.exe

      ill run HJT and post

      soybean



        Genius
      • The first soybean ever to learn the computer.
      • Thanked: 469
      • Computer: Specs
      • Experience: Experienced
      • OS: Windows 10
      Re: I think im infected
      « Reply #7 on: April 03, 2007, 10:51:34 AM »
      That helps.  Thanks.

      soybean



        Genius
      • The first soybean ever to learn the computer.
      • Thanked: 469
      • Computer: Specs
      • Experience: Experienced
      • OS: Windows 10
      Re: I think im infected
      « Reply #8 on: April 03, 2007, 10:55:28 AM »
      http://www.bleepingcomputer.com/startups/

      thats what says its bad, and yes its iexplore.exe

      ill run HJT and post
      So, it is iexplore.exe.  I still see nothing in http://www.bleepingcomputer.com/startups/ that says iexplore.exe is a bad file.  Can you cite SPECIFICALLY where you're getting the notion that it's a bad file?

      Again iexplore.exe is the executable file for Internet Explorer.

      Medman

      • Guest
      Re: I think im infected
      « Reply #9 on: April 03, 2007, 10:57:07 AM »
      Logfile of HijackThis v1.99.1
      Scan saved at 10:57:27 AM, on 4/3/2007
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v7.00 (7.00.6000.16414)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\Sygate\SPF\smc.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
      C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
      C:\Program Files\dvd43\dvd43_tray.exe
      C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
      C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
      C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
      C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
      C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
      C:\WINDOWS\eHome\ehRecvr.exe
      C:\WINDOWS\eHome\ehSched.exe
      C:\WINDOWS\system32\HPZipm12.exe
      C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
      C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\UPHClean\uphclean.exe
      C:\Program Files\Canon\CAL\CALMAIN.exe
      C:\WINDOWS\system32\dllhost.exe
      C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Documents and Settings\User\Desktop\Bacteria\Protections\medmanHijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://crossfit.com/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
      O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
      O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
      O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
      O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
      O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
      O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
      O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
      O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
      O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
      O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O11 - Options group: [INTERNATIONAL] International*
      O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
      O15 - Trusted Zone: *.musicmatch.com
      O15 - Trusted Zone: *.musicmatch.com (HKLM)
      O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
      O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
      O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
      O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
      O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
      O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
      O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
      O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
      O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
      O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
      O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
      O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
      O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
      O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


      Medman

      • Guest
      Re: I think im infected
      « Reply #10 on: April 03, 2007, 11:15:23 AM »
      also, i dont know if this is related, but my Adaware SE scanner freezes each time while scanning "Web Browser casche" or somethine like that (cant remember exaclty).  THe program does not freeze or become unresponsive, but instead just sits there not doing anything.  AT this point it says it has picked up on one Critical item but wont tell me what that is until the scan is complete, which it never is.  But ive run all my other protection programs and they come up with nothing except tracking cookies which i easily remove.

      Medman

      • Guest
      Re: I think im infected
      « Reply #11 on: April 03, 2007, 11:19:09 AM »
      hmmm, yea the link i posted to bleepingcomputer didnt bring you to the page i wanted, but just type in iexplore.exe in the search field and it comes up wiht a bunch of stuff:

      Examples:

      Default web browser    IexpIore.exe    X   Added by the OBLIVION.B TROJAN! Note - do not confuse "IexpIore.exe" with "iexplore.exe" (Internet Explorer), the first has a captial "i" in place of ... Read More

      or

      mssysint    Iexplore .exe    X   Added by the PWSTEAL.ABCHLP and PSPIDER.310.B TROJANS! Note - this is not the legitimate Internet Explorer (iexplore.exe) process, which should not ap ... Read More

      unlovedwarrior



        Guru

      • someday this name will be known
      • Thanked: 13
        Re: I think im infected
        « Reply #12 on: April 03, 2007, 11:25:55 AM »

        dllhost.exe

        Gilat SOM Enumerator  dllhost.exe  Y For Gilat Communications internet satellite systems - associated with SkyBlaster modem. Required if you have this system ... Read More 
        WinMngn  dllhost.exe  X Added by the Troj/Sivion-A TROJAN by appearing to be an anti-virus program. Additional files are installed to the Program Files to enable unauthorised ... Read More 
        DllHost  dllhost.exe  X Added by the BKDR_PROSTI.A backdoor. 
        DNS Event  dllhost.exe  X Added by the Infostealer.Svcstor information stealing Trojan. This infection should not be confused with the legitimate Windows file c:\Windows\System ... Read More 
        COM+ System Service  dllhost.exe  X Added by the W32/Tilebot-HT worm and IRC backdoor. W32/Tilebot-HT spreads to other network computers by exploiting common buffer overflow vulnerabilit ... Read More 
        Windows Host Services  dllhost.exe  X Added by the W32/Tilebot-IH worm and IRC backdoor. W32/Tilebot-IH spreads to other network computers by exploiting common buffer overflow vulnerabilit ... Read More 
        000hpdllhos  hpdllhost.exe  X LZIO.com adware downloader 



        oj can you check this out

        patio

        • Moderator


        • Genius
        • Maud' Dib
        • Thanked: 1686
          • Yes
        • Experience: Beginner
        • OS: Windows 7
        Re: I think im infected
        « Reply #13 on: April 03, 2007, 11:28:24 AM »
        A few quick questions:

        I noticed you are still running Norton along with AVG....do you need both ? ?

        For the AdAware issue are you clearing your browser cache and deleting Temporary Internet files before scanning ? ?
        If not this might be slowing the scan down.

        Did you run the scans ( not Hijack This ) in safe mode with system restore turned off ? ?
           
         
        " Anyone who goes to a psychiatrist should have his head examined. "

        soybean



          Genius
        • The first soybean ever to learn the computer.
        • Thanked: 469
        • Computer: Specs
        • Experience: Experienced
        • OS: Windows 10
        Re: I think im infected
        « Reply #14 on: April 03, 2007, 11:34:42 AM »
        hmmm, yea the link i posted to bleepingcomputer didnt bring you to the page i wanted, but just type in iexplore.exe in the search field and it comes up wiht a bunch of stuff:

        Examples:

        Default web browser    IexpIore.exe    X   Added by the OBLIVION.B TROJAN! Note - do not confuse "IexpIore.exe" with "iexplore.exe" (Internet Explorer), the first has a captial "i" in place of ... Read More

        or

        mssysint    Iexplore .exe    X   Added by the PWSTEAL.ABCHLP and PSPIDER.310.B TROJANS! Note - this is not the legitimate Internet Explorer (iexplore.exe) process, which should not ap ... Read More
        OK, I see all the search findings now.  This is a case where a valid file, iexplore.exe, gets exploited in many ways to cause problems.