Serious Problem

1. ## Serious Problem

I have a serious Problem with my system ......... my knowledge base is primarily software and internet and I only possess a rudimentary knowledge of OS's and hardware.

I use Windows XP Home and Im pretty sure that my problem is trojan or worm related rather than viral.
I'll try to structure this as well as possible, so not to make it too confusing:

The main problem facing me now (literally) is that I get a persistent box popping up saying: "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." This happens every few seconds. Its caused by my problem and I have uninstalled IE and denied permissions for it through my firewall (Kerio Personal) in an attempt to contain it - that hasn't worked and I still have the problem.

I don't know if there is a windows background process associated with IE, but when Iv went into my version of WinTasks to check on this, I lose my desktop when I shut down or minimize WinTasks
and then have to reboot again. So I can't really use my WinTasks.

I also get advert windows popping up and arbitrarily resizing my internet windows (I use FireFox), I'v never had pop ups or adverts before and never, ever had my windows buzzing around and resizing themself.
I detected 'Internet Optimizer' on my system, which is either a trojan or spyware (so much of it lately I forget which) that is allegedly very hard to uninstall and causes the activity I just explained. I have uninstalled it in the Control Panel, let Spyware Nuker 2005 auto uninstall it, found it again with the unpaid version of SpyHunter and manually deleted it from the registry and yet I am still seeing the effects.

In doing research into the differant types of executables that are on my system (through Wintasks and my firewall), I will see that some are necessary for the 'stability and security of the system' buy are also associated with certain worms or trojans ex. svchost.exe and others.

On restarts/reboots, when my desktop finally comes up, I see an alert saying that .../system32/kernels32.exe cant be found ........ I have researched this one too, and it says it is also associated with a trojan of some sort, so I am reluctant to try to replace it - though I have no clue why Id get this alert for a trojan file.

As one can imagine, I have had to prematurely restart and shutdown a few times with these problems, and after I let it go through the diskscan it does when it is improperly shutdown, it says that there was an unrecoverable error: ../local settings/temp/werf6.tmp is missing, another allocation file had to be truncated or something, too - I didn't have enought time to write it all down.

If I spend some time on it I will also get a blue screen that says there was a system error and shut down to protect the system, from here it will reboot after several seconds.

I use Norton AV and at first it would detect a virus and some additional risks, delete the virus and then I would manually delete the others, it hasn't found anything in safe mode and I haven't been able to finish a scan in normal mode, as the IE box piles up and eventually bogs everything down.

Thats all I can think of right now that is going on on my system, I really hope someone can help me through this one, Im at a loss.

Thanks.

P.S. Because I know it will be bought up, I shut down system restore before doing all of this

[2] HijackThis

B.T.W. save a copy of the HijackThis log file and post it on here ...

3. It has all been said before, but here's a link to a tut to give some assist on cleaning out the basics.

hopefully, after following this, you will be clean, but if not, then at least we will know what has been tried.

You say XP home, SP2 ?

do you have ANY routine security tools that you use on a regular [weekly at least] basis ?

I like CrapCleaner. Use it first, on default settings, sometimes the simplest answer is THE answer
As a gut reaction, I'm leaning towards CoolWebSearch, so at least run CW Shredder .....
use SAFE mode to run the tools, remember to update first ........

and I second the HJT log, saved as a .txt file, so those that can, can have a look ........

luck to you
Pax

4. Is the taskmanager disabled? I looked up kernels32.exe and came up with this:
http://securityresponse.symantec.com....vicsfram.html

5. Well, I personally would do a reformat and reinstall at this point.

Hope you have decent backups of your important data, and just forget the rest. It sounds like you have taken out some stuff that you need and have been over run with spyware/malware.

Reinstallation will allow you to set it up right in the first place, and keep it that way from then on.

6. Yes, Muerto, I had forgotten to mention that in the initial post, but my task manager was disabled, and it seems like that link explains part of the problem, Im going to fish through the registry with the info from that link, and go through the Tut that foxyloxey posted and let someone who knows more about this decrypt this HJT logfile .......

foxy loxley- I use NAV ( once a week), Kerio personal firewall (constant), Error Nuker 2005, SpyNuker 2005 (quick scans a few times a week and deep scans once a week), and ad-aware (once or twice every two weeks). I keep on top of things pretty well, this all started on Wed, which is 2 days b4 my scheduled virus scan. I also use WinTask Pro to monitor the system in between times.

Agent steel - that symantec tool didn't find NetOptimizer, so maybe I finally got rid of that part of it.

Ok, below is the HJT log file ..........

Logfile of HijackThis v1.99.1
Scan saved at 4:18:24 PM, on 10/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4ss.exe
D:\Program Files\navapsvc.exe
D:\Program Files\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tca.exe
D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tcm.exe
D:\Corel\Programs\CorUpd.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Maintenance & Security\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SpamNukeWeb] D:\Program Files\Maintenance & Security\SpamNuker\spamnuker.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=111005 serial=dr12wux-0611779-mvv lang=EN
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [d:_corel_programs_corupd.e1c] D:\Corel\Programs\CorUpd.exe /Watch /r="Software\Corel\CorelDRAW\12.0"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = D:\Program Files\uLead\photoExpress\CalCheck.exe
O8 - Extra context menu item: &NeoTrace It! - D:\PiesNest\xfiles\NEOTRA~1.25\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\PiesNest\vrie.dll (file missing)
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\PiesNest\vrie.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - d:\program files\inetrepl.dll (file missing)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\program files\inetrepl.dll (file missing)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\program files\inetrepl.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - D:\PiesNest\xfiles\NEOTRA~1.25\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolbar.com/ist/softwa...ct_regular.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinner.com/games/v48...ed/haunted.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\hrju0519e.dll
O23 - Service: Abel - Unknown owner - D:\PiesNest\Cain\Abel.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\IWP\NPFMntor.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks for all the responses so far, can't wait to hear about that logfile ..........

7. Straight from the analyzer:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
Must be fixed!

16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolbar.com/ist/softw...ect_regular.cab
Nasty This entry is possibly nasty.
Should be fixed.

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
Nasty This entry is possibly nasty.
Should be fixed.

cheers

8. Moxnix - I am almost in agreement with you, with a re-format I will lose some important stuff but its supposed to me a long winter and I can have alot of time to re-build it all, I would like to wait though to see if I can avoid that ........ I really don't know how this all has happened - Iv always been very diligent with keeping things up to date and clean.

if it does come down to that, what is the proper way to re-format the drives and start from scratch??

Relyt - looking at them, I can understand that they need to be taken care of, I could really use a walk through and some advice as to how to go about it properly though. Thanks.

9. Despite some mystical beliefs you can delete IE and make your system stable. However it sounds like you have many things going on and one of them is that although you may have deleted IE, your system is not stable. This may be partially caused by malware, but you may have created some of it as well.

To correctly delete IE you must go into the registry and edit every application (that requires a window, basically), such as Word, Excel, Outlook, Explorer, etc., must be re-associated with another similar Web Browser or Web rendering (HTML) app. prior to deleting IE. So if you haven’t done that, you might have hosed it up pretty good. However it might be salvageable by going back to a previous system restore point or using the CD and the recovery console.

But with all of the stuff going on, as Moxnix recommended, a reformat would probably be your best bet. And then create a couple of new restore points after you get all your additional software loaded.

cheers

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•