Multiple IEXPLORE.EXE in Processes, Possible Evivinc Virus

Welcome to Majorgeeks!

Run the steps in the below and attach the requested smitfiles.txt log.

SpywareQuake & SpyFalcon Removal Procedure

You have a bunch of bad infections! This is a direct result of you not having proper protection installed on your PC. You have no antivirus, no firewall, and probably had no antispyware protection until you installed Windows Defender while running the READ ME. This was a very bad idea. And because of that, you have the below to worry about:

You have something very serious in your log that you must address immediately!

IMPORTANT NOTE: You have been infected with a TWO Password Stealing Trojans: Trojan.W32.Torpig

See this link for what you have: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/

Since you appear to use this PC for financial related matters, you must take this possible threat seriously.

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

 

After completing what is in my previous message, continue with these instructions.

You need to empty your housecall\Quarantine folder as instructed in step 0 of the READ ME. Also you need to empty your Recycle Bin.

Look in Add/Remove Programs and uninstall Media Pipe if found!

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winubg32.dll once and then click the kill button. After you have killed all of the winubg32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
artm_new.dll
polymorph.dll

Next double click on explorer.exe and again click once on each instance of winubg32.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
artm_new.dll
polymorph.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\services.exe
O4 - HKLM\..\Run: [ÿ_zskg^mhrgbvcftujtnq50inkrwksz_] c:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\services.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [r7rU37P] ahugxpr7.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20026\socks.exe
O4 - HKLM\..\Run: [MediaPipeTrayIcon] "C:\Program Files\MediaPipe\MPTray.exe" /H
O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H
O4 - HKLM\..\Run: [MediaPipe] "C:\Program Files\MediaPipe\MediaPipe.exe" /H
O4 - HKLM\..\RunServices: [ÿ_zskg^mhrgbvcftujtnq50inkrwksz_] c:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
O4 - HKCU\..\Run: [ÿ_zskg^mhrgbvcftujtnq50inkrwksz_] c:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
O4 - HKCU\..\Run: [WinMedia] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\124.tmp3072.exe"
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - HKCU\..\Run: [aw08RXj9W] admml4.exe
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: winubg32 - C:\WINDOWS\SYSTEM32\winubg32.dll


Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
cd c:\windows\temp

Now make sure the prompt (what you see at the beginning of each line in the command prompt window) shows that you are in the C:\windows\temp folder. Then continue.

del win*.*
exit

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\Program Files\MediaPipe\MediaPipe.exe
C:\Program Files\p2pnetworks\mpp2pl.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\124.tmp3072.exe
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
C:\Documents and Settings\Administrator\Favorites\Antivirus Test Online.url
C:\Documents and Settings\Administrator\Local Settings\Application Data\195c10c9.exe
C:\WINDOWS\system32\195c10c9.exe
C:\WINDOWS\system32\ipod.raw.exe
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\taskdir.dll
F:\Installation Filez\AresGalaxyClassic.exe
C:\WINDOWS\inet20026\socks.exe
C:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
C:\WINDOWS\SYSTEM32\winubg32.dll
C:\WINDOWS\System32\testtestt.exe
C:\WINDOWS\System32\ahugxpr7.exe

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Some items still appear! Did you miss the below? Try fixing again:

F3 - REG:win.ini: run=C:\WINDOWS\inet20026\services.exe
O4 - HKLM\..\Run: [ÿ_zskg^mhrgbvcftujtnq50inkrwksz_] c:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
O4 - HKLM\..\RunServices: [ÿ_zskg^mhrgbvcftujtnq50inkrwksz_] c:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
O4 - HKCU\..\Run: [ÿ_zskg^mhrgbvcftujtnq50inkrwksz_] c:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)

Do you see any the below (or similar to the below)

c:\windows\system32\_zskwrkni05qntjutfcvbgrhm^g.exe
C:\WINDOWS\inet20026\services.exe

Did killbox find these and delete them?


Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

Also run the below procedure and attach the newfiles.txt log.

• Using ShowNew

 

Okay that looks better, but I see MSconfig running and it should not be. But before we address this, I want apply a registry patch.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry

Now make sure you have selected Normal Startup in MSconfig and give me a new HJT log. Some of the bad stuff is still showing in your runkeys.txt log but this could be due to not booting in normal boot mode without using MSconfig. You must make sure you DO NOT use MSconfig to control startups while we are fixing problems. It is okay to use it to get into safe mode (if you need to do it that way) but when you leave safe mode, you must make sure you select Normal Startup. If you simply uncheck the SafeBoot option it is not the same thing.

 

Problems are still showing in your log! Do the below to disable Windows Defender.

Disable Windows Defender's realtime protection:

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

Then also disable any other active protection software (like your AV,...etc)

Then reapply that same registry patch. Afterwards get a new HJT log and also do the below.

Now run the below procedure and attach the runkeys.txt log.

• Using GetRunKey

Now run the below procedure and attach the newfiles.txt log.

Using ShowNew

 

You still have those problem registry keys with the random characters in the name. Some of the characters are probably unprintable characters and that could be part of the reason for having trouble removing it. It could also be that the malware has changed ownership of that particular registry key hive and it does not belong to you or even the administrator of the PC and thus is will not let you change it. I have a couple other things we can try but first, please redownload ShowNew. It has been changed and I need a new log from it. The version number is now 0.5. Replace the old one with this one and give me a new log. PLEASE RUN THIS FIRST BEFORE YOU CONTINUE ON TO THE BELOW.

Alright! Let's try another procedure to remove that strange process!

Copy the bold text below to notepad. Save it as fixJUNK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry

Now attach a new HJT log!

 

It is still there! We will now try to take ownership of the registry key and see if we can manually delete it.

Download and Install Registrar Lite (Make sure you select a download link from Majorgeeks and not the Author's)

Copy and paste the below into the bar of Registrar Lite and take ownership of it:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run

To take ownership of teh key do the following:
Click-on the above Registry Key
Click-on Security in the top Menu
Select Take Ownership

Now try to locate the below subkey that is under the above key and select it and right click on it and select Delete

ÿ_zskg^mhrgbvcftujtnq50inkrwksz_

You may have to check around to locate this key because the text seen above in my message may or may not match what is in the registry itself.

Then in the top menu of Registrar Lite, click View and Refesh. Check to see if the key was actually deleted. Let me know. Also if you get any error messages while doing these steps, tell me exactly when you get the error and exactly what it says.

After deleting the registry key, exit Registrar Lite and attach a new HJT log (but only if it actually worked).

Let me know if you had any problems following this procedure.

 

As I suspected, the malware had changed the ownership of that registry key to make it diffiicult for anyone to remove it. But we got it now!

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Nothing we did has anything to do with your Windows firewall. However you do not want to use the Windows firewall anyway. It does not provide adequate protection. You should use a real firewall like one mentioned in step 3 of the below link:

How to Protect yourself from malware!

You need to run all steps in that link anyway now that your malware is fixed. Also you need to toggle System Restore per step 1 of the READ ME.

For your NAT error message, you really need to discuss that in the Software Forum but you should give the actual error message.