Nasty Trojan IExplorer Pop_Ups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by RacerJack, Jul 27, 2004.

  1. RacerJack

    RacerJack Private E-2

    Okay, I must have opened a bad file that I shouldn’t, but now Iexplorer is possessed by a demon that redirects the search and default pages to a DLL in winnt/system32. I’m trying to follow the directions you good folks post, but am stuck at Windows Upgrade. There is a question at the end of this, but here is the background.

    This bugger got right past the up to date Norton virus definitions and the normal Symantec cleanup didn’t eradicate or even find the root virus. Iexplorer now has constant pop-ups and in some cases doesn’t retrieve the original content. The Op sys is Win 2k. At first Norton detected a Trojan virus in c:\winnt\system32\*32.exe files (names changed). It would detect a few of these files in a row although I could never find the files using explorer (searching for hidden files). Now Norton doesn’t detect the virus.

    So, the rank amateur I am, I deleted the thorny .DLL file and created a REM file with the same name and write protected. I killed anything I didn’t recognize in HKEY_LOCAL_MACHINE\SOFTWRE\Microsoft\Windows\CurrentVersion\Run or RunOnce (files with the system32\*32.exe format that I couldn’t find a google reference). I can’t find a RunServices directory. I also changed the search and default references in HKEY_LOCAL_MACHINE\SOFTWRE\Microsoft\Iexplorer\ from the thorny .DLL file to google. Whenever Iexplorer or explorer runs, the registry is changed back to the nasty little .DLL. I can’t stay ahead of cleaning the registry RUN and RUNONCE folders, and can’t END TASK the suspect PROCSSES.

    So, following your advice I upgraded Windows. First Iexplorer and now W2K Service pack 4. I have more Windows security updates to do. But, after the last update and before rebooting I checked the registry and I find the following peculiar entries:

    HKEY_LOCAL_MACHINE\SOFTWRE\Microsoft\Windows\CurrentVersion\Run\c:\winnt\system32\ipmd32.exe
    HKEY_LOCAL_MACHINE\SOFTWRE\Microsoft\Windows\CurrentVersion\RunOnce\Winnt\crtd32.exe
    HKEY_LOCAL_MACHINE\SOFTWRE\Microsoft\Windows\CurrentVersion\RunOnce\winnt\mson.exe

    I’m thinking about killin the two *32.exe entries and would appreciate your advice.

    Sorry if I’m not following this forums protocol of going through all the steps, but the last time I rebooted it took forever and I thought I might be able to head this varmint off. Thanks again!
     
    RacerJack, Jul 27, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds like HSA. Download and run:
    - About Buster
    - HSremove

    follow directions on those links. If they do not clean it up, follow the protocol mentioned here and then post a HijackThis log as a text attachment.
     
    chaslang, Jul 27, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds