I need help with a iexplorer32 virus

Discussion in 'malware problems & news' started by flyinfastcomputer, Oct 25, 2004.

Thread Status:
Not open for further replies.
  1. I have a virus in the System32\iexplorer32.exe
    here is a list of my startup

    StartupList report, 10/25/2004, 6:49:44 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\The Man\Desktop\startuplist1521\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    C:\Program Files\Common files\updater\wupdater.exe
    C:\WINDOWS\System32\iexplore32.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\SahAgent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\WINDOWS\GWMDMMSG.exe
    C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\BestBuy\HelpExpress\HXDL.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BestBuy\HelpExpress\HXIUL.EXE
    C:\Program Files\AIM\aim.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Documents and Settings\The Man\Application Data\iwar.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\BestBuy\HelpExpress\Client\HELPEXP.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Documents and Settings\The Man\Desktop\startuplist1521\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\The Man\Start Menu\Programs\Startup]
    Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    Microsoft Works Calendar Reminders.lnk = ?

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    IW Controlcenter = C:\PROGRA~1\VOB\INSTAN~1\IWCTRL.EXE
    updater = C:\Program Files\Common files\updater\wupdater.exe
    RunDLL = rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    iched32r = C:\WINDOWS\System32\iched32r.exe
    UsbD = C:\WINDOWS\System32\iexplore32.exe
    WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
    WildTangent CDA = RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    susp = C:\WINDOWS\susp.exe
    stcloader = C:\WINDOWS\System32\stcloader.exe
    SAHBundle = C:\DOCUME~1\THEMAN~1\LOCALS~1\Temp\bundle.exe
    SAHAgent = C:\WINDOWS\System32\SahAgent.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    nwiz = nwiz.exe /install
    MyWebSearch Email Plugin = C:\PROGRA~1\MyWay\bar\1.bin\mwsoemon.exe
    mswspl = C:\WINDOWS\System32\stcloader.exe
    Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
    Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    Microsoft Tray = C:\My Shared Folder\Games (1).exe
    kdx = C:\WINDOWS\kdx\KHost.exe
    iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
    Internet Optimizer = "C:\Program Files\Internet Optimizer\optimize.exe"
    GWMDMMSG = GWMDMMSG.exe
    DM_Server = C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    ClrSchLoader = C:\Program Files\ClearSearch\Loader.exe
    CHotkey = mHotkey.exe
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    WebRebates0 = "C:\Program Files\Web_Rebates\WebRebates0.exe"
    EbatesMoeMoneyMaker = wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
    bxxs5 = RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    HXDL.EXE = C:\Program Files\BestBuy\HelpExpress\HXDL.EXE -from="CLIENT.CAB" -to="Download\CLIENT.CAB"
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    HXIUL.EXE = C:\Program Files\BestBuy\HelpExpress\HXIUL.EXE
    NVIEW = rundll32.exe nview.dll,nViewLoadHook
    AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl
    Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1
    Rcsh = C:\Documents and Settings\The Man\Application Data\iwar.exe
    Aurrvsy = C:\WINDOWS\System32\?hkntfs.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=
    SCRNSAVE.EXE=C:\WINDOWS\System32\FORDTR~1.SCR
    drivers=

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\FORDTR~1.SCR
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\bi.dll - {000006B1-19B5-414A-849F-2A3C64AE6939}
    (no name) - C:\Program Files\Lycos\Sidesearch\sidesearch1500.dll - {00000762-3965-4A1A-98CE-3D4BF457D4C8}
    (no name) - C:\WINDOWS\System32\ATPART~1.DLL - {00000EF1-0786-4633-87C6-1AA7A44296DA}
    (no name) - C:\WINDOWS\twaintec.dll - {000020DD-C72E-4113-AF77-DD56626C6C42}
    (no name) - C:\WINDOWS\System32\n3tpa1.dll - {000E7270-CC7A-0786-8E7A-DA09B51938A6}
    (no name) - C:\WINDOWS\bxxs5.dll - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}
    MyWebSearch Search Assistant BHO - C:\Program Files\MyWay\SearchAt\1.bin\MWSSRCAS.DLL (file missing) - {00A6FAF1-072E-44cf-8957-5838F569A31D}
    (no name) - C:\Program Files\Kontiki\bin\bh304181.dll (file missing) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB}
    mwsBar BHO - C:\Program Files\MyWay\bar\1.bin\MWSBAR.DLL (file missing) - {07B18EA1-A523-4961-B6BB-170DE4475CCA}
    ohb - C:\WINDOWS\System32\winhot32.dll - {086CEFD5-A88D-4981-8915-D51F04360ED1}
    (no name) - C:\WINDOWS\System32\iSearch\toolbar.dll - {1C78AB3F-A857-482e-80C0-3A1E5238A565}
    NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL - {5D60FF48-95BE-4956-B4C6-6BB168A70310}
    (no name) - C:\WINDOWS\2_0_1browserhelper2.dll - {83DE62E0-5805-11D8-9B25-00E04C60FAF2}
    (no name) - C:\WINDOWS\System32\bridge.dll - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [symsupportutil]
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    OSD = C:\WINDOWS\Downloaded Program Files\OSD4A.OSD

    [F1 Organizer Class]
    InProcServer32 = C:\WINDOWS\System32\ATPART~1.DLL
    CODEBASE = http://www.addictivetechnologies.net/DM0/cab/1w2fcksh.cab

    [Support.com Configuration Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlcm.dll
    CODEBASE = http://support.charter.com/sdccommon/download/tgctlcm.cab

    [Microsoft Office Template and Media Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
    CODEBASE = http://office.microsoft.com/templates/ieawsdc.cab

    [{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\WinadX.dll
    CODEBASE = http://public.windupdates.com/get_f...71b0834b3328:522a1c137ec85ca995271ab95b94951b

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}]
    CODEBASE = http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

    [{26E8361F-BCE7-4F75-A347-98C88B418322}]
    CODEBASE = http://download.websearch.com/Dnl/T_50099/QDow.cab

    [Register Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HWUtils.dll
    CODEBASE = http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab

    [Minesweeper Flags Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [ProjectPoint Document]
    CODEBASE = https://folders.buzzsaw.com/!/download/ProjectPoint-BZ-EN.exe

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/262be2cadda821859305/netzip/RdxIE601.cab

    [AcDcToday Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

    [InstallShield International Setup Player]
    InProcServer32 = c:\windows\downlo~1\isetup.dll
    CODEBASE = http://www.installengine.com/engine/isetup.cab

    [SurroundVideoCtrl Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSSurVid.ocx
    CODEBASE = http://autos.msn.com/components/ocx/survid/MSSurVid.cab

    [iiittt Class]
    InProcServer32 = C:\WINDOWS\System32\winhot32.dll
    CODEBASE = http://hotsearchbar.com/toolbar2/winhot32.cab

    [MediaTicketsInstaller Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MEDIAT~1.OCX
    CODEBASE = http://www.mt-download.com/MediaTicketsInstaller.cab

    [HeartbeatCtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
    CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

    [RealArcadeRdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RealArcadeRdxIE.dll
    CODEBASE = http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab

    [ExteriorSurround Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\Outside.ocx
    CODEBASE = http://autos.msn.com/components/ocx/exterior/Outside.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [InstaFred Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
    CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx

    [ActiveDataInfo Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [AcPreview Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
    CODEBASE = file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx

    [Secure Delivery]
    CODEBASE = http://www.gamespot.com/KDX/kdx.cab

    [H2hPool Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\h2hpool.ocx
    CODEBASE = http://mirror.worldwinner.com//games/v45/h2hpool/h2hpool.cab

    [Tukati Launcher]
    InProcServer32 = C:\WINDOWS\System32\TukatiClientInstaller.dll
    CODEBASE = http://www.tukati.com/software/4/1.7.20.20/tukati.cab

    [WMService Class]
    InProcServer32 = C:\WINDOWS\WildApp.dll
    CODEBASE = http://download.overpro.com/WildApp.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 13,424 bytes
    Report generated in 0.359 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.