Explorer.exe problem... possible virus?

[diehard]

Ok, so the problem started when I had to use dial-up instead of cable because of the recent hurricane. My cable modem is connected to a router but of course I can't use a router with dial-up. About 30 minutes after I logged on, Norton pops up and says it has deleted the virus W32.Spybot.Worm. I figure no big deal but after several viruses (W32.Spybot.Worm, W32.Korgo.F(?) and another with a name involving tftp) over the past 2 days i realized something was wrong and i downloaded ZoneAlarm. Well I found out that Windows Explorer was trying to connect to random IPs about 10 times a second. I went back to the virus section of Symantec's site and found this under W32.Korgo.F...

Attempts to inject a function into Explorer.exe as a thread.

If successful, this threat will continue to run within the Explorer.exe process. All actions described in the next step will appear to be done by Explorer.exe, and the worm will not show when viewing the process list in the Windows Task Manager.

This is from the next step:

Attempts to exploit the LSASS Windows vulnerability on TCP port 445 (described in Microsoft Security Bulletin MS04-011), against random IP addresses. If the worm successfully finds a vulnerable computer, that computer will attempt to connect back to the infected computer on one of the TCP ports the worm opens.

Well I assumed this had to be the problem, but I have downloaded and installed the patch and I have run Symantec's Korgo removal tool and a fully updated Norton 2003 in safe mode several times but Explorer still does this.

Oh, one last thing... the firewall also blocks attempts to access my computer through port 445 as well as other ports about once per minute.

Here is my HiJackThis log, I hope you guys can help... I certainly don't want to have to reformat again.(The reason i don't just call Symantec is because they charge $39.95 per incident or $4.95 per minute ><)

Logfile of HijackThis v1.98.2
Scan saved at 5:01:56 PM, on 10/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {19BDAFF8-BD02-2CAD-3ADA-5E311852A823} - C:\WINDOWS\Zqbgkhkv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Search - {809F06A6-D544-98E2-6306-2701A38A9691} - C:\WINDOWS\Zqbgkhkv.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3029ca48...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04BCF14F-30BE-4A3F-AA3A-BF5D84300BC7}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{04BCF14F-30BE-4A3F-AA3A-BF5D84300BC7}: NameServer = 207.69.188.187 207.69.188.186

Thanks for your help!

[Pancake]

Hi diehard
Close your browser window,run hjt in safe mode and fix these items.Any files/folders that I have highlighted will also need to be removed from your hard drive as well as from the log. Make sure to have your system set to show hidden files and folders.. www.xtra.co.nz/help/0,,4155-1916458,00.html while still in safe mode,run "SpyBot S&D" and fix all it find,also do the same with "Adaware".Post a new log when finished....

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {19BDAFF8-BD02-2CAD-3ADA-5E311852A823} - C:\WINDOWS\Zqbgkhkv.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Search - {809F06A6-D544-98E2-6306-2701A38A9691} - C:\WINDOWS\Zqbgkhkv.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3029ca4...ip/RdxIE601.cab

[mimo2005]

if you still have download accelerator plus
read this from customers
"Too many adds, spys, slow downs"
I used to really like this program, downloaded here and found my computer slowed down, froze, and when I searched for spyware I got about three times the usual and guess where it came from? It DOES download quickly and easily, but NOT WORTH THE PRICE YOU PAY in loss of computer function and all that terrible spyware.

"Too much spyware"
Well first off...I was a big fan of DAP for years. This was before I got hip to the tricks of spyware adware ect. After I installed this program on my new CPU Spyware Doctor found 138 spyware problems and 9 malicious process running from with DAP 7 alone! So have fun boys and girls, but I would suggest staying away from this program.


good luck

[diehard]

Thanks for all your help so far.
(I took your advice and deleted DAP)

Well I fixed those items and deleted the file but explorer.exe is still trying to access the internet. Two things i noticed were:
1. In safe mode explorer takes over 90% of CPU usage, and in normal mode it takes between 2 and 20%
2. Explorer tries to access alot of IPs but i noticed that it tries 207.69.188.187 and 207.69.188.186 more often and those are listed in the HJT scan.

Here is my new log. It has more processes running this time because last time I had ended many of them in order to test to see if it made a difference but I forgot to restart.

Logfile of HijackThis v1.98.2
Scan saved at 10:49:25 PM, on 10/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Stop-the-Pop-Up\stopthepop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\Program Files\Stop-the-Pop-Up\stopthepop.exe" -minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04BCF14F-30BE-4A3F-AA3A-BF5D84300BC7}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{04BCF14F-30BE-4A3F-AA3A-BF5D84300BC7}: NameServer = 207.69.188.187 207.69.188.186

Thanks again for all your help!

[diehard]

I found this strange but explorer has seemed to calm down a bit... it doesnt seem to try to access the internet when it is blocked by ZoneAlarm but i decided to set it to "Ask" to see if it had stopped. As soon as i set it to "Ask" it popped it with a request to access some random IP so some virus or something must still be using explorer.

Also, I was wondering if there is anyway to replace my explorer with a fresh copy of it without reinstalling or reformating?

I'll be going to bed now but I will be sure to check back as soon as I get home tomorrow.

[Pancake]

Your log is ok...207.69.188.187 belong to Earth Link.If this is not your server then the log entry can be removed.