hidden iexplore and browser highjack

[molodets]

Running Windows XP prof SP2
Spybot S&D 1.6.2.46, updated 9/14/2011

At least a month ago my computer became infected with malware. Spybot does not detect it and says that my system is clean. In Task Manager I can see iexplore.exe is running, but there is no open visible window. My default browser is Firefox 5.0.1. I did not open IE, but something on the computer is causing it to open hidden. After awhile it accesses the registry and changes the default browser to IE.

As an interim "band-aid" for dealing with this problem, I installed a program called Killprocess. It will kill the iexplore process periodically. Nevertheless, the problem has now gotten worse. Firefox is hijacked and I get directed to various websites that I did not request The problem is so bad, that it is almost impossible to work on the internet.

As a test, I restarted my system, immediately opened Task Manager and let it sit there without activity. The offending malware does not do anything. Then I connect to my ISP (without opening a browser) and after a while, I see a hidden iexplore in Task Manager. The offense is not coming from a cookie, because I had deleted all cookies prior to the computer restart.

Despite what the DDS log indicates, I do not have Comodo firewall currently installed on my computer.

Thank you sincerely for any help you can provide.

========================================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_21
Run by Artie at 16:26:48 on 2011-09-19
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.100 [GMT 3:00]
.
FW: COMODO Firewall Pro *Enabled*
.
============== Running Processes ===============
.
D:\Utilities\emisoftAntiMalware\a2service.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\CD-DVD\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Utilities\KeyloggerKing410\MpkI.exe
C:\WINDOWS\system32\tp4mon.exe
C:\Java\jre1.5.0_21\bin\jusched.exe
D:\Utilities\HamsinClipboard\HamsinClipboard.exe
D:\Utilities\KillProcess\KillProcess.exe
C:\FireFox\firefox.exe
C:\FireFox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = file:///C:/home.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\java\jre1.5.0_21\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Agent Ransack Keyboard Hook: {b23edae2-2a36-4c87-aefd-b6801b6c6584} - c:\program files\mythicsoft\agent ransack\ShellExt.dll
{d0790168-28c6-42ab-8858-92b956d46b1c}
uRun: [HamsinClipboard] d:\utilities\hamsinclipboard\HamsinClipboard.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TrackPointSrv] tp4mon.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\java\jre1.5.0_21\bin\jusched.exe"
mRun: [QuickTime Task] "d:\videoplayers\quicktime\qttask.exe" -atboottime
mRun: [USB Safely Remove] d:\utilities\usb-safelyremove\USBSafelyRemove.exe /startup
dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mExplorerRun: [Mpk_king.exe] d:\utilities\keyloggerking410\MpkI.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_21-windows-i586.cab
TCP: Interfaces\{4B6ED689-28B3-4E88-B17A-5EE48EEAB35F} : DhcpNameServer = 10.10.0.15 10.10.0.8
TCP: Interfaces\{DB889A73-642E-4491-9C16-C90A4ABAEB1E} : NameServer = 10.10.0.15 10.10.0.8
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: xxyxWMDU - xxyxWMDU.dll
{d0790168-28c6-42ab-8858-92b956d46b1c}
LSA: Notification Packages = :\WINDOW
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\artie\application data\mozilla\firefox\profiles\1eitxh4g.default\
FF - prefs.js: browser.startup.homepage - file:///C:/home.html
FF - plugin: d:\videoplayers\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\videoplayers\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\wordproc\adobereader812\reader\browser\nppdf32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ddSrcUSB;SourceUSB Analyzer Driver;c:\windows\system32\drivers\ddSrcUSB.sys [2011-6-11 112808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-21 64288]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;d:\utilities\emisoftantimalware\a2service.exe [2011-8-28 3029208]
R2 TTFixerService;NST ToolTipFixer;c:\program files\neosmart technologies\tooltipfixer\ToolTipFixer.exe [2007-6-26 10240]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2010-1-18 802683]
S3 a2acc;a2acc;d:\utilities\emisoftantimalware\a2accx86.sys [2011-8-28 73728]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1169232]
S3 MirayVirtualDisk;MirayVirtualDisk;c:\windows\system32\drivers\mvd.sys [2011-4-17 142448]
.
=============== Created Last 30 ================
.
2011-09-19 10:27:51 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2011-09-13 18:59:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-02 12:59:55 388096 ----a-r- c:\documents and settings\artie\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-29 18:55:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-29 18:55:23 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-27 05:39:17 -------- d-----w- c:\documents and settings\artie\application data\PROject MT
2011-08-26 07:16:13 -------- d-----w- c:\windows\Downloaded Installations
2011-08-23 10:17:07 7168 -c--a-w- c:\windows\system32\dllcache\hccoin.dll
2011-08-23 10:17:07 7168 ----a-w- c:\windows\system32\hccoin.dll
2011-08-23 10:17:06 30080 -c--a-w- c:\windows\system32\dllcache\usbehci.sys
2011-08-23 10:17:06 30080 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-08-22 10:02:55 -------- d-----w- c:\documents and settings\artie\local settings\application data\Abelssoft
2011-08-22 05:24:14 -------- d-----w- C:\FireFox-Rus
.
==================== Find3M ====================
.
2011-08-20 08:15:30 93113400 ----a-w- C:\regbackup prior to deleteadministratorprivateame.reg
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
============= FINISH: 16:33:16.71 ===============

[oldman960]

Hi molodets, welcome to the forum.

To make cleaning this machine easier

• Please do not uninstall/install any programs unless asked to
  It is more difficult when files/programs are appearing in/disappearing from the logs.
• Please do not run any scans other than those requested
• Please follow all instructions in the order posted
• All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
• Do not attach any logs/reports, etc.. unless specifically requested to do so.
• If you have problems with or do not understand the instructions, Please ask before continuing.
• Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Safe Mode

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply


There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Please post back with

• GMER log
• aswMBR log
• MBR.zip (attached)

Thanks

[molodets]

I downloaded Gmer and aswMBR. Gmer did indeed give a warning about loaddriver error. I clicked ok and ran Gmer. The log is shown below. The error message is attached.
I then tried to run aswMBR.exe. It would not run.

The behavior that I was experiencing, that is hidden instance of iexplore, did not occur at all today --- until I ran Gmer. Then it started producing hidden iexplore again.

What's the next step please?


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-21 19:13:07
Windows 5.1.2600 Service Pack 2
Running: hqvlr8o6.exe; Driver: C:\DOCUME~1\Artie\LOCALS~1\Temp\uglyypob.sys


---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9A71DB4C-7855-933D-07BD-8EB81696945B}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9A71DB4C-7855-933D-07BD-8EB81696945B}@abdjacgcolfingcnoaniohffjmephbeijf 0x61 0x62 0x6A 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9A71DB4C-7855-933D-07BD-8EB81696945B}@bbdjacgcolfingcnoaiihfeipfphejppoemn 0x61 0x62 0x6D 0x64 ...

---- EOF - GMER 1.0.15 ----

[oldman960]

Hi molodets,

Any error when trying to run aswMBR?

You may have a corrupt copy, please download a new copy and try it again. You can also see if it will run in Safe Mode.

Let me know how you make out.

Thanks

[molodets]

Hi molodets,

You may have a corrupt copy, please download a new copy and try it again. You can also see if it will run in Safe Mode.

Let me know how you make out.
Thanks

I downloaded aswMBR again from the link supplied in a previous message. Internet Explorer shows a file size of 1872KB, BUT this download took about 1 second to complete and I know I can't download that fast. The file really seems to be empty and of course, as previously mentioned, it will not run (not even in safe mode.)
Perhaps you can verify the link above and/or try downloading it yourself and see if it will run?
thanks.

[oldman960]

Hi molodets,

I just downloaded it with Internet Explorer. It downloaded and ran fine. Can you try downloading it with Internet Explorer.

[molodets]

Hi molodets,

I just downloaded it with Internet Explorer. It downloaded and ran fine. Can you try downloading it with Internet Explorer.

I tried once again to download aswMBR.exe; this time with Internet Explorer browser. It appears to download without problem, but when I double click it to run, it still will not run.

I then tried once again to download with Opera. Again it appears to download, but nothing happens when I double click it.

Then I tried to run it in Safe Mode again. Now I've got problems with Safe Mode. I get the BLUE SCREEN. I tried several times. No luck. When I tried this last week, Safe Mode would start up without problems.

BTW, after several attempts I was able to photograph the Blue Screen and see that there is some technical information there. Is that of any help?

Anyway, the basic problem remains -- aswMBR.exe won't run.

[oldman960]

Hi molodets,

Thanks for trying to get aswMBR to run. We'll try one more thing to see if it will run. Please rename aswMBR.exe to iexplore.exe. If it runs please post the log.

I was able to photograph the Blue Screen and see that there is some technical information there. Is that of any help?

Every piece of information is useful. Please post the image.

Next

Let's see if we can get a look at the iexplore process that is running. Do not terminate it, we may be able to see where it's running from with this tool.

Download OTL to your desktop.

• Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output
• Check the boxes beside LOP Check and Purity Check.
• In the window under Custom Scans/Fixes copy and paste the following
  
  
  netsvcs
  %SYSTEMDRIVE%\*.*
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\Fonts\*.exe
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.jpg
  %systemroot%\*.png
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\System32\config\*.sav
  %PROGRAMFILES%\bak. /s
  %systemroot%\system32\bak. /s
  %ALLUSERSPROFILE%\Start Menu\*.lîk /x
  %systemroot%\system32\config\systemprofile\*.dat /x
  %systemroot%\*.config
  %systemroot%\system32\*.db
  %PROGRAMFILES%\Internet Explorer\*.dat
  %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
  %USERPROFILE%\Deskuop\*.exe
  %PROGRAMFILES%\Common Files\*.*
  %systemroot%\*.src
  %systemroot%\install\*.*
  %systemroot%\system32\DLL\*.*
  %systemroot%\system32\HelpFiles\*.*
  %systemroot%\system32\rundll\*.*
  %systemroot%\winn32\*.*
  %systemroot%\Java\*.*
  %systemroot%\system32\test\*.*
  %systemroot%\system32\Rundll32\*.*
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  %USERPROFILE%\..|smtmp;true;true;true /FP
  %temp%\smtmp\*.* /s >
  /md5start
  iexplore.*
  explorer.*
  winlogon.*
  dll
  zx.dll
  hlp.dat
  /md5stop
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Please post back with

• aswMBR.txt (if it ran)
• both OTL logs

Thanks

[oldman960]

Hi molodets,


Still with us?

[oldman960]

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.