I have been battling this infection for a few days and decided to give you guys a try...again. I've posted here before but has been a while. To the chase - my kids PC has been infected after clicking on a messenger link...I think?? I have downloaded/run MBAM and SUPERAntispyware and they have cleaned out what they can. I have tried Spybot S&D in the past but it does not play well with COMODO for some reason. My scans were clean so I deleted my Restore Points and was going to set a new one after a scan with kaspersky On-line. That's when it found this IEXPOLES.exe..again! It says it is in C:\Windows\IEXPOLES.exe. Here is my HJT log (being run as Smiley21.exe)...Thanks!!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:06 AM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\Smiley21.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5516 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

Nothing is showing in the HJT log, post the information from the Kaspersky Online Scan (KOS) so I can see everything it has to say.

fxstaller <<< what program finds this and where is it located?
http://www.prevx.com/filenames/X2593700059074710707-X1/FXSTALLER2EEXE.html

Thanks

Greetings and thanks for taking the time on this. The first log is the initial kaspersky scan before running MBAM( I have the log to show what MBAM performed if needed ). The secong log is after and still showing the IEXPOLES. The "Backdoor" description has me worried and wonder if I'm not better just to rescue their iTunes and reformat. I'll leave that up to you - here are the logs. Thanks again!!


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, March 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, March 05, 2009 15:21:52
Records in database: 1870838
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 56575
Threat name: 5
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:20:13


File name / Threat name / Threats count
C:\Documents and Settings\Korey\Local Settings\Temporary Internet Files\Content.IE5\Z3AWV496\inj[1].exe Infected: Backdoor.Win32.Agent.aekz 1
C:\Documents and Settings\Korey\Local Settings\Temporary Internet Files\Content.IE5\Z3AWV496\rape[1].exe Infected: Trojan-Downloader.Win32.Murlo.adu 1
C:\WINDOWS\fxstaller.exe Infected: Backdoor.Win32.Agent.aekn 1
C:\WINDOWS\IEXPOLES.exe Infected: Backdoor.Win32.Agent.aekp 1
C:\WINDOWS\system32\awttUOih.dll Infected: Trojan.Win32.Monderb.ampj 1

The selected area was scanned.



second log...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 06, 2009 13:05:45
Records in database: 1874052
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 55471
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:53:56


File name / Threat name / Threats count
C:\WINDOWS\IEXPOLES.exe Infected: Backdoor.Win32.Agent.aekp 1

The selected area was scanned.

Thanks for returning that information, let's proceed like this.

1) Make sure you can view all files and folders for your system:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

3) Right click Start > Explore and navigate to these files/folders and delete them if there.

according to the new scan on Friday, March 6, 2009 all but one item is gone, but check to be sure.

(ATF-Cleaner should have cleaned this folder, but check to be sure)

C:\Documents and Settings\Korey\Local Settings\Temporary Internet Files\ <<< delete all files in that folder in RED

C:\WINDOWS\fxstaller.exe <<< delete that file
C:\WINDOWS\IEXPOLES.exe <<< delete that file
C:\WINDOWS\system32\awttUOih.dll <<< delete that file

4) Empty the Recycle Bin on the Desktop

5) Clean System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

6) Update your security programs and scan with them to make sure they all scan clean.

Let me know...Thanks

Phil

Thanks for the help. I run ATF on a weekly basis and have done so again here. Have set my "view folders" option to show all but the:
C:\Documents and Settings\Korey\Local Settings\Temporary Internet Files\
does not appear. Have not seen it their since SP2. I usually delete my temp by right clicking IE >Internet Properties>delete. Hope that covers that - if not, any advice on how to get it to show in Documents and settings would be appreciated. Have not seen:
C:\WINDOWS\fxstaller.exe <<< delete that file
or
C:\WINDOWS\system32\awttUOih.dll <<< delete that file
since MBAM. Kaspersky is the only one finding C:\Windows\IEXPOLES.exe at this point as I do not see it in the folder when viewing. Recycle bin is empty and system restore is still off. I will create a new restore point but if IEXPOLES is still there I'm afraid I will copy it as well. I will update and rescan with all again - does that include MBAM? - and will post any findings. Thanks!

This pathway is a correct one that would not show in the KOS scan unless it exists. Now sure what you are looking at, but it has to be there.

C:\Documents and Settings\Korey\Local Settings\Temporary Internet Files\

C:\Documents and Settings
Korey
Local Settings
Temporary Internet Files

Try using Search Companion, Start > Search > All Files and Folders > Temporary Internet Files
Might take a while, lots of files to look through.

C:\Documents and Settings <<< is certainly a valid folder

Thanks

Update so far...
I do know that this is a valid pathway - use to go there to save me re-downloading some files. I right click My Computer and select "Explore". I then navigate:
Local Disk C:>Documents and Settings\Korey\Local Settings\
I am then presented with Application Data or Temp folders..no more. If I select Default User\Local Settings\ there is a Temporary Internet Files folder. I have navigated to IE>Internet Properties>Settings>View Files and deleted everything there.

COMODO.....Clean Scan

KASPERSKY...Updating files and will scan when complete.

MBAM...Did you want a scan with this again??

Here is the SUPERAntiSpyware Scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/07/2009 at 11:17 AM

Application Version : 4.25.1014

Core Rules Database Version : 3784
Trace Rules Database Version: 1741

Scan type : Complete Scan
Total Scan Time : 00:27:11

Memory items scanned : 404
Memory threats detected : 0
Registry items scanned : 5231
Registry threats detected : 5
File items scanned : 12759
File threats detected : 0

Unclassified.Unknown Origin
HKU\S-1-5-21-1715567821-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Rogue.Component/Trace
HKU\S-1-5-21-1715567821-1979792683-839522115-1004\Software\Microsoft\CS41275
HKU\S-1-5-21-1715567821-1979792683-839522115-1004\Software\Microsoft\FIAS4051

Thanks!!

Here are the new Kaspersky and MBAM logs. MBAM says it found IEXPOLES.exe and deleted it. I'm going to reboot and run another kaspersky and see. Thanks!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 07, 2009 19:46:23
Records in database: 1878095
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 55688
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:52:35


File name / Threat name / Threats count
C:\WINDOWS\IEXPOLES.exe Infected: Backdoor.Win32.Agent.aekp 1

The selected area was scanned.



Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 5.1.2600 Service Pack 2

3/7/2009 3:48:47 PM
mbam-log-2009-03-07 (15-48-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 124955
Time elapsed: 35 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\IEXPOLES.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Last scan showed clean...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, March 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, March 07, 2009 22:40:02
Records in database: 1878540
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 55723
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:52:58

No malware has been detected. The scan area is clean.

The selected area was scanned.

Thanks for letting me know:bigthumb: here is good information to help you keep it that way.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html