Crazy Name-changing Spyware/immune To Fixing!?

I have a running .exe task that WILL NOT END. It opens IEXPLORE.exe at random times, and the name of the process keeps changing, so I do not know how to fix it specifically. (I'm running Windows XP, and have done Ad-Aware SE, SpyBot S&D, Panda Online Antivirus Scan, HijackThis, CrapCleaner)

Here are some examples:
NRNPEUX.EXE is running. I click end process [or end process tree], and it turns into...
JVOSXK.EXE, which, after ending that process, immediately turns into...
UDHVCR.EXE, which, in turn, yields to...
AVTCZPI.EXE, and so on...

It's as if it is the same trojan/spyware/ad thing; just the letters are mixed together each time. Regardless, the process WILL NOT END, and all the above measures I've taken have not fixed it. PLEASE HELP.

Edit by bjgarrick: Unrequested, Inline HJT log removed!

 

Fisrt, download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet.

- Reboot into Safe Mode with no network suppost and do not run anything else but what I tell you to run!

- Run the ABIRemover.exe, press install, wait (explorer window will disapear)

- When it finishes just reboot and continue with the below steps.


Download and install Microsoft® Windows AntiSpyware during the install make sure you get any updates BUT BEFORE YOU START THE SCAN: Print or save these instructions locally now because you will have to be disconnected with no browsers open in the following steps.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable. Do not reconnect or open a browser again until requested.

Now allow the Microsoft Antispyware program to run a full scan. After it completes, reboot again in normal boot mode and continue the below steps.


After you complete ALL of the above, then procede with the following online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you complete the online scans listed above, reboot and post a fresh HJT log from normal mode.

 

Hey man, thanks for responding.

I followed your instructions until installing Windows Antispyware. A long time ago, my Windows Installer got severely messed up (deleted, accidentally, perhaps?) and I get an error message telling me: "The Windows Installer Service could not be accessed. This can happen if you are running Windows in safe mode, or if the Windows Installer is not correctly installed."

Am I beyond help now? I tried following the links to the scans you posted, and it seems that I have hundreds(?) of infected files! Nothing seems to work noticeably, and the name-changing, IEXPLORE.exe-opening program is still on the loose! Here's an updated logfile for you; tell me my computer is not FUBAR...:

Edit by bjgarrick: Inline log attached!

 

First, tempoararily disable TeaTimer as it will block parts of my fixes. Regarding the Windows Installer issue, download the following file and install. After you do this, again try to install MSAS as it will remove a lot of your problems and create a starting point for us to work from.

Windows Installer 3.1 (v2)

 

Everything worked! Is it really true? Is my computer fixed (for now)?

I followed everything you wrote out, and it seems to have cured the trojans and all-around malware on my PC.

Here is my final (hopefully) logfile; tell me I'm ok:

Edit by bjgarrick: Inline log attached!

- Forever indebted, man. Thanks a million times.

 

From now on please post ALL logs as attachments to your post!


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O4 - HKLM\..\Run: [uyln] C:\WINDOWS\System32\uyln.exe
O4 - HKLM\..\Run: [jlkwip] c:\windows\system32\ofeehm.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\nvpkal.exe reg_run

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System32\nvpkal.exe

C:\WINDOWS\System32\uyln.exe

C:\WINDOWS\System32\ofeehm.exe

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Alright, everything seems to be going smoothly. I haven't seen the name-changing spyware recently, and IEXPLORE.exe hasn't been popping up regularly. I followed your instructions to a T, and here's what I came up with (am I done?):

 

Your HJT log is clean!

Are you having any further problems?

 

No more problems!

I am so grateful for your time and effort, and I don't think I can thank you enough. Without your help, I would now be haphazardly deleting registry keys or worse!

Again, thank you so much.

Peace and love always.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!