Exploit virus on MP3 player

Hi,

First of all I'd like to say a big thank you for all the help I received on this site last Autumn. I never got round to thanking you because after all the work you'd helped me do, my computer's hard drive suddenly and irrevocably crashed, taking various unsaved data with it. After that I avoided computers for some time which is why I never got round to thanking you for your help, my apologies and belated thanks.

Now I have a problem with an Exploit worm virus. AVG Free edition found the worm but could not fix it. Conversely, my Symantec corporate edition couldn't find it. Bizarrely, when I ran the two together, AVG found it but Symantec quarantined it. I'll say here that I'm aware two virus programs should not be run in tandem and I have now uninstalled AVG.

Now, the virus was found on my IRIVER player, forgive me if I tell you what you already know, but the IRIVER is essentially an external hard drive with some software which enables various functions, mainly the playing of MP3 files. Anyway, although the virus programs have quarantined and eliminated the Exploit files found, there is a recurrant file that simply will not die. It is, or purports itself to be, a recorded voice file. The whole problem came to light when I was recording a series of voice files, which have all now been deleted, save for this one which will not be deleted. Anyway, this recurrant voice file, when deleted, initially disappears, but then, when I leave the folder and return to it, always immediately comes back. That is the problem.

My system specs.
Sorry, I found all the data a bit daunting but I think the following is what you require:
OS: Windows XP Prof, 2003, Service Pack 2, version 5.1.2600 (notably, this was installed by a Chinese technician as I live in China. My computer functions for the most part in English but, frustratingly, often goes a little Chinese on me, suggesting it's the Chinese Windows installed in English, I'm afraid I can't be sure owing to the language barrier).
CPU: Mobile AMD Athlon XP, 1200MHz
Ram: 256MB Dram
Hard drive: 40GB
(Apologies if this information is insufficient, please inform me if it is)

What I have done:
As instructed, I have carried out steps 1 to 6 in the "READ & RUN ME FIRST Before Asking for Support" thread of the Malware Removal section. I have also carried out the steps in the "Before You Post Asking For Help, Please Read This" thread.

What was found.
In addition to four instances of the Exploit virus, (found by AVG Free and Symantec)
Adaware found:
Transponder, Reg Key, Data Minder, HKEY_CLASSES_ROOT:iehlprobj.iehlprobj AND HKEY_CLASSES_ROOT:iehlprobj.iehlprobj.1

Spybot found:
MainPean, Windows Security Center.AntiVirusOverride

Windows Defender and Windows Malicious Software Removal Tool found:
nothing.

BitDefender online scan found:
nothing.

Panda online scan found two things, log attached.


Thanks in advance for your help. One thing I find very confusing is that all signs of the virus have been confined to my IRIVER. No signs have been detected on either of the computers with which I use it.

Tom

 

Never have more than 1 Antivirus program installed on your computer. They will conflict with each other, even when only one is active. Pick one, uninstall the other.

Please post a HijackThis log.

 

Thanks,

the second virus program has now been uninstalled. Please find attached requested HJT log.

Tom

PS, I've just thought, should I have had the IRIVER plugged in when I did the scan?

 

Scan with HijackThis and fix the folloiwing:

Try using ExplorerXP to delete that file and if it still comes back try using Pocket Killbox.

Post a fresh HijackThis log and post the log from AdAdware, so I can see exactly what it is reporting.

 

Hi,

Thanks again.

Okay, ExplorerXP and Pocket Killbox both failed to delete the fail. Explorer XP was much as previous attempts, where it appeared to delete the file only for the thing to immediately reappear. Pocket Killbox produced a dialogue box stating it was "not possible" to delete the file.

Please find attached a fresh HJT log and the Adaware log.

Thank you for your continuing help.

Tom

 

Copy the contents of the below quote box to Notepad and Save As FixReg.reg to your Desktop.

Close Notepad.

Double-click FixReg.reg and answer 'Yes' when asked if you want to merge with the registry.

REBOOT

Scan with AdAware. Is AdAware still finding IEHlprObj.IEHlprObj adn IEHlprObj.IEHlprObj.1?

For the file on your MP3 player, can you hook it up and scan just the MP3 player using our standard cleaning procedures to see what is hiding on the player.

 

Hello,

First of all, AdAware has stopped reporting the previous "IEHlprObj.IEHlprObj adn IEHlprObj.IEHlprObj.1" problem, although it found three new "DataMiner" problems, which have now been quarantined.

Regarding the MP3 player, I ran:
IN SAFE MODE:
Microsoft Malicious Software Removal prog,
Ad-aware,
Spybot,
Microsoft Defender,
CWShredder
Kill2Me
NOTHING FOUND BY ANY PROGRAM

IN NORMAL MODE (computer couldn’t perform in SAFE MODE W/ NETWORKING)
BitDefender
Pandascan
NOTHING FOUND

Should I perform the alternative scans detailed in Step 8 of the "follow these instructions" instructions?

Thanks again,

Tom

 

I'm not all that familiar with MP3 payers and their file storage system. Is it possible that when the device is plugged into the cumputer that there is some sort of synchronization between playlists and files?

 

It does sound feasible although I'm not entirely sure what you mean. Also, I have no playlists programmed into the unit, just files. Furthermore, I don't use the software supplied with the MP3 player, I just use it like a memory stick, ie plug it in and access via Windows Explorer.

 

I figured it could be used in teh same manner as a memory stick. Try using the software that came with the player and see that does.

 

Good idea. I've researched the website and I think I'm just going to reformat the thing, it'll be handy because I need to completely overhaul what's on there anyway.

Just one more thing. Now that I've removed these various bits of malware from my computer, now's the time to Disable System Restore, reboot then re-enable right?

Thanks for all the help

 

Yes, disable System Restore, Reboot, turn System Restore back on.

 

Hi,

Looks like everything's sorted now, until the next time.

Just wanted to say a big thank you for all your help.

Big thank you.

Tom

 

You're, Welcome.