I need help with a iexplorer32 virus

Discussion in 'malware problems & news' started by flyinfastcomputer, Oct 25, 2004.

Thread Status:
Not open for further replies.
  1. I have a virus in the System32\iexplorer32.exe
    here is a list of my startup

    StartupList report, 10/25/2004, 6:49:44 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\The Man\Desktop\startuplist1521\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    C:\Program Files\Common files\updater\wupdater.exe
    C:\WINDOWS\System32\iexplore32.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\SahAgent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\WINDOWS\GWMDMMSG.exe
    C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\BestBuy\HelpExpress\HXDL.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BestBuy\HelpExpress\HXIUL.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Documents and Settings\The Man\Application Data\iwar.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\BestBuy\HelpExpress\Client\HELPEXP.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Documents and Settings\The Man\Desktop\startuplist1521\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\The Man\Start Menu\Programs\Startup]
    Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    Microsoft Works Calendar Reminders.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    IW Controlcenter = C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    updater = C:\Program Files\Common files\updater\wupdater.exe
    RunDLL = rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    iched32r = C:\WINDOWS\System32\iched32r.exe
    UsbD = C:\WINDOWS\System32\iexplore32.exe
    WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
    WildTangent CDA = RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    susp = C:\WINDOWS\susp.exe
    stcloader = C:\WINDOWS\System32\stcloader.exe
    SAHBundle = C:\DOCUME~1\THEMAN~1\LOCALS~1\Temp\bundle.exe
    SAHAgent = C:\WINDOWS\System32\SahAgent.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    nwiz = nwiz.exe /install
    MyWebSearch Email Plugin = C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
    mswspl = C:\WINDOWS\System32\stcloader.exe
    Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
    Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    Microsoft Tray = C:\My Shared Folder\Games (1).exe
    kdx = C:\WINDOWS\kdx\KHost.exe
    iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
    Internet Optimizer = "C:\Program Files\Internet Optimizer\optimize.exe"
    GWMDMMSG = GWMDMMSG.exe
    DM_Server = C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    ClrSchLoader = C:\Program Files\ClearSearch\Loader.exe
    CHotkey = mHotkey.exe
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    WebRebates0 = "C:\Program Files\Web_Rebates\WebRebates0.exe"
    EbatesMoeMoneyMaker = wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
    bxxs5 = RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    HXDL.EXE = C:\Program Files\BestBuy\HelpExpress\HXDL.EXE -from="CLIENT.CAB" -to="Download\CLIENT.CAB"
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    HXIUL.EXE = C:\Program Files\BestBuy\HelpExpress\HXIUL.EXE
    NVIEW = rundll32.exe nview.dll,nViewLoadHook
    AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
    Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1
    Rcsh = C:\Documents and Settings\The Man\Application Data\iwar.exe
    Aurrvsy = C:\WINDOWS\System32\?hkntfs.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=
    SCRNSAVE.EXE=C:\WINDOWS\System32\FORDTR~1.SCR
    drivers=

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\FORDTR~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\bi.dll - {000006B1-19B5-414A-849F-2A3C64AE6939}
    (no name) - C:\Program Files\Lycos\Sidesearch\sidesearch1500.dll - {00000762-3965-4A1A-98CE-3D4BF457D4C8}
    (no name) - C:\WINDOWS\System32\ATPART~1.DLL - {00000EF1-0786-4633-87C6-1AA7A44296DA}
    (no name) - C:\WINDOWS\twaintec.dll - {000020DD-C72E-4113-AF77-DD56626C6C42}
    (no name) - C:\WINDOWS\System32\n3tpa1.dll - {000E7270-CC7A-0786-8E7A-DA09B51938A6}
    (no name) - C:\WINDOWS\bxxs5.dll - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}
    MyWebSearch Search Assistant BHO - C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL (file missing) - {00A6FAF1-072E-44cf-8957-5838F569A31D}
    (no name) - C:\Program Files\Kontiki\bin\bh304181.dll (file missing) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB}
    mwsBar BHO - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL (file missing) - {07B18EA1-A523-4961-B6BB-170DE4475CCA}
    ohb - C:\WINDOWS\System32\winhot32.dll - {086CEFD5-A88D-4981-8915-D51F04360ED1}
    (no name) - C:\WINDOWS\System32\iSearch\toolbar.dll - {1C78AB3F-A857-482e-80C0-3A1E5238A565}
    NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
    (no name) - C:\WINDOWS\2_0_1browserhelper2.dll - {83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    (no name) - C:\WINDOWS\System32\bridge.dll - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [symsupportutil]
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    OSD = C:\WINDOWS\Downloaded Program Files\OSD4A.OSD

    [F1 Organizer Class]
    InProcServer32 = C:\WINDOWS\System32\ATPART~1.DLL
    CODEBASE = http://www.addictivetechnologies.net/DM0/cab/1w2fcksh.cab

    [Support.com Configuration Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll
    CODEBASE = http://support.charter.com/sdccommon/download/tgctlcm.cab

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\WinadX.dll
    CODEBASE = http://public.windupdates.com/get_f...71b0834b3328:522a1c137ec85ca995271ab95b94951b

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
    CODEBASE = http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

    [{26E8361F-BCE7-4F75-A347-98C88B418322}]
    CODEBASE = http://download.websearch.com/Dnl/T_50099/QDow.cab

    [Register Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HWUtils.dll
    CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab

    [Minesweeper Flags Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [ProjectPoint Document]
    CODEBASE = https://folders.buzzsaw.com/!/download/ProjectPoint-BZ-EN.exe

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/262be2cadda821859305/netzip/RdxIE601.cab

    [AcDcToday Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [InstallShield International Setup Player]
    InProcServer32 = c:\windows\downlo~1\isetup.dll
    CODEBASE = http://www.installengine.com/engine/isetup.cab

    [SurroundVideoCtrl Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSSurVid.ocx
    CODEBASE = http://autos.msn.com/components/ocx/survid/MSSurVid.cab

    [iiittt Class]
    InProcServer32 = C:\WINDOWS\System32\winhot32.dll
    CODEBASE = http://hotsearchbar.com/toolbar2/winhot32.cab

    [MediaTicketsInstaller Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
    CODEBASE = http://www.mt-download.com/MediaTicketsInstaller.cab

    [HeartbeatCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
    CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

    [RealArcadeRdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
    CODEBASE = http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

    [ExteriorSurround Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\Outside.ocx
    CODEBASE = http://autos.msn.com/components/ocx/exterior/Outside.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [InstaFred Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
    CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx

    [ActiveDataInfo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [AcPreview Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx

    [Secure Delivery]
    CODEBASE = http://www.gamespot.com/KDX/kdx.cab

    [H2hPool Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\h2hpool.ocx
    CODEBASE = http://mirror.worldwinner.com//games/v45/h2hpool/h2hpool.cab

    [Tukati Launcher]
    InProcServer32 = C:\WINDOWS\System32\TukatiClientInstaller.dll
    CODEBASE = http://www.tukati.com/software/4/1.7.20.20/tukati.cab

    [WMService Class]
    InProcServer32 = C:\WINDOWS\WildApp.dll
    CODEBASE = http://download.overpro.com/WildApp.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 13,424 bytes
    Report generated in 0.359 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
Loading...
Thread Status:
Not open for further replies.