[Buchas]

When W2000 starts, the process IEXPLORE.EXE appears in process list, though no window of Internet Explorer 6.0 is running. If I try to stop this with Task manager, it reappears after second. It looks suspicious, how do I stop it?


Logfile of HijackThis v1.98.2
Scan saved at 3:52:55 PM, on 1/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
C:\Programos\StrokeIt\strokeit.exe
C:\Programos\Hotmail Popper\hotpop.exe
C:\Programos\BestCrypt 7.10.3\BCResident.exe
C:\Programos\Opera7\opera.exe
c:\progra~1\intern~1\iexplore.exe
V:\download\software\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iccf-webchess.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: HyperSearchHook - {BC89B9F6-39AF-48FA-86D0-2F596FDCC4DC} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O1 - Hosts: 62.212.199.54 gg.muchina.com
O1 - Hosts: 62.212.199.54 ogg.muchina.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programos\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {E0DF0127-122D-DFE8-F70A-7C0D7F0574B6} - C:\DOCUME~1\kS\APPLIC~1\GRIMJU~1\Bone tool.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [StrokeIt] C:\Programos\StrokeIt\strokeit.exe
O4 - Startup: Hotmail Popper.lnk = C:\Programos\Hotmail Popper\hotpop.exe
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Programos\BestCrypt 7.10.3\BestCrypt.exe
O4 - Global Startup: Zone Labs Security.lnk = C:\Programos\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Programos\flash\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programos\flash\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O20 - AppInit_DLLs: hplun.dll

[Advertisements]

Please go to add/remove programs in control panel and uninstall net dot net or new.net it varies in how it looks. Reboot normally and post a new log.

-=jonnyrotten=-

[-=jonnyrotten=-]

Please go to add/remove programs in control panel and uninstall net dot net or new.net it varies in how it looks. Reboot normally and post a new log.

-=jonnyrotten=-

[Buchas]

I unistalled 'New dot net Domains 3.88' from my PC. However the problem isn't gone. I can't kill IEXPLORE.EXE any way.

Logfile of HijackThis v1.98.2
Scan saved at 10:05:13 AM, on 1/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
C:\Programos\StrokeIt\strokeit.exe
C:\Programos\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programos\Hotmail Popper\hotpop.exe
C:\Programos\BestCrypt 7.10.3\BCResident.exe
C:\Programos\TaskInfo2003 5.0\TaskInfo.exe
c:\progra~1\intern~1\iexplore.exe
V:\download\software\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iccf-webchess.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: HyperSearchHook - {BC89B9F6-39AF-48FA-86D0-2F596FDCC4DC} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O1 - Hosts: 62.212.199.54 gg.muchina.com
O1 - Hosts: 62.212.199.54 ogg.muchina.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programos\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {E0DF0127-122D-DFE8-F70A-7C0D7F0574B6} - C:\DOCUME~1\kS\APPLIC~1\GRIMJU~1\Bone tool.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [StrokeIt] C:\Programos\StrokeIt\strokeit.exe
O4 - Startup: Hotmail Popper.lnk = C:\Programos\Hotmail Popper\hotpop.exe
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Programos\BestCrypt 7.10.3\BestCrypt.exe
O4 - Global Startup: Zone Labs Security.lnk = C:\Programos\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Programos\flash\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programos\flash\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O20 - AppInit_DLLs: hplun.dll

[-=jonnyrotten=-]

Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: HyperSearchHook - {BC89B9F6-39AF-48FA-86D0-2F596FDCC4DC} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O1 - Hosts: 62.212.199.54 gg.muchina.com
O1 - Hosts: 62.212.199.54 ogg.muchina.com
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {E0DF0127-122D-DFE8-F70A-7C0D7F0574B6} - C:\DOCUME~1\kS\APPLIC~1\GRIMJU~1\Bone tool.exe
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\Program Files\Common Files\Hyperbar
C:\DOCUME~1\kS\APPLIC~1\GRIMJU~1

Reboot normally and post a new log

-=jonnyrotten=-

[Buchas]

Looks like this evil process (IEXPLORE.EXE) is gone. Thanks!
[I couldm't remove
O1 - Hosts: 62.212.199.54 gg.muchina.com
O1 - Hosts: 62.212.199.54 ogg.muchina.com
because those entries were gone by that time.]
Is there something else I can safely delete?

Logfile of HijackThis v1.98.2
Scan saved at 2:48:09 PM, on 1/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Programos\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
C:\Programos\StrokeIt\strokeit.exe
C:\Programos\Hotmail Popper\hotpop.exe
C:\Programos\BestCrypt 7.10.3\BCResident.exe
V:\download\software\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iccf-webchess.com/
O1 - Hosts: Usage Information:
O1 - Hosts: Save Changes - Save any changes you make to hosts file
O1 - Hosts: Reset Default - Will Replace any existing Hosts with a Windows Default one, original file doesn't have to exist
O1 - Hosts: Save Log - Will Save the Hosts as a Text file, Good for Posting
O1 - Hosts: _________________________________________________________________
O1 - Hosts: Enable and Disable - Will Swap Hosts Files On the Fly for those that want to use Hosts, and Temporarily Disable it.
O1 - Hosts: _________________________________________________________________
O1 - Hosts: Scan for Hosts - Will Search your Windows Drive for Hosts Files, useful if Hosts is in wrong location or installed to Alternate location by Trojan.
O1 - Hosts: Delete - Does exactly that, Delete and Hosts File Selected in the Listbox.
O1 - Hosts: _________________________________________________________________
O1 - Hosts: By Option^Explicit, [email protected]
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programos\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~2\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [StrokeIt] C:\Programos\StrokeIt\strokeit.exe
O4 - Startup: Hotmail Popper.lnk = C:\Programos\Hotmail Popper\hotpop.exe
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Programos\BestCrypt 7.10.3\BestCrypt.exe
O4 - Global Startup: Zone Labs Security.lnk = C:\Programos\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Programos\flash\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Programos\flash\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O20 - AppInit_DLLs: hplun.dll

[-=jonnyrotten=-]

Congratulations! Your system is CLEAN

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox .
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats.

-=jonnyrotten=-