iexplore.exe malware detection and removal ?

[Idanshalev]

Hello, this has been posted already, but perhaps the treatment method may vary depending on my situation and logs etc, so reposting...

XP SP3
IE 8 BETA (although using Firefox mainly)
Tried: Fullscan with KIS 2009 (kaspersky) and Adaware.
It removed some win32trojan downloader agent mkav or so, but problem remains.

Description:
I've been experiencing multiple iexplore.exe processes running freely without my control (I use Firefox mainly). While they run, there's a weird chinese speech in the background which sounds like a commercial, it may repeat itself few times and even overrun itself in sound.

The Problem:
iexplore.exe keeps on running along with the CHINESE talking in the background.

Now, if I run full scan on my system with KIS, it wouldn't detect anything, not to mention updated Lavasoft Ad-Aware 2008...

DDS LOG:

DDS (Version 1.0) - NTFSx86
Run by Idan at 22:27:53.26 on Mon 12/08/2008
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2046.1606 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\taskmagr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Idan\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://portal.colman.ac.il/
uInternet Settings,ProxyOverride = *.local
BHO: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashgett\jccatch.dll
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashgett\getflash.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Download All with FlashGet - c:\program files\flashgett\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashgett\jc_link.htm
IE: &ייצוא אל Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashgett\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashgett\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R0 St323dk;St323dk;c:\windows\system32\drivers\St323dk.sys [2002-10-13 88736]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-12-3 213008]
R2 GEST Service;GEST Service for program management.;"c:\program files\gigabyte\energysaver\GSvr.exe" [2008-1-2 80392]
R3 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-6-2 611664]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 AVP;Kaspersky Internet Security;"c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" -r [2008-7-29 206088]
S4 a2free;a-squared Free Service;"c:\program files\a-squared free\a2service.exe" [2008-12-2 419448]

=============== Created Last 30 ================

2008-12-08 22:17 <DIR> --d----- C:\ComboFix
2008-12-08 22:17 389,120 a------- c:\windows\system32\CF32021.exe
2008-12-05 18:42 145,920 a------- c:\windows\system32\lame_enc.dll
2008-12-04 15:22 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-04 15:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-04 15:01 <DIR> --d----- c:\program files\Trend Micro
2008-12-03 14:49 <DIR> --d----- c:\program files\MSXML 4.0
2008-12-03 14:41 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-12-03 14:40 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-12-03 14:39 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-12-03 14:39 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-12-03 14:39 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-03 14:39 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-03 14:39 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-03 14:39 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-03 14:39 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-12-03 14:37 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2008-12-03 14:37 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2008-12-03 14:36 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2008-12-03 14:36 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2008-12-03 14:22 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-12-03 12:53 96,976 a------- c:\windows\system32\drivers\klin.dat
2008-12-03 12:53 87,855 a------- c:\windows\system32\drivers\klick.dat
2008-12-03 12:52 3,422,752 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-03 12:52 401,440 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2008-12-03 12:52 28,868 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-03 12:52 3,500 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2008-12-03 12:52 <DIR> --d----- c:\program files\Kaspersky Lab
2008-12-03 12:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-12-03 12:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-12-02 16:18 <DIR> --d----- c:\program files\a-squared Free
2008-11-26 13:00 <DIR> --d----- c:\program files\Lavasoft
2008-11-23 23:21 6,592 a------- c:\windows\gwpreset.ini
2008-11-23 23:21 3,362 a------- c:\windows\express.eqx
2008-11-23 23:21 587 a------- c:\windows\goldwave.ini
2008-11-23 23:21 <DIR> --d----- c:\program files\GoldWave
2008-11-20 20:25 348,160 a------- c:\windows\system32\eSellerateEngine.dll
2008-11-20 20:25 <DIR> --d----- c:\program files\Acoustica MP3 Audio Mixer
2008-11-10 08:45 <DIR> --d----- c:\program files\ICQ6

==================== Find3M ====================

2008-12-08 21:56 16,608 a------- c:\windows\gdrv.sys
2008-10-24 13:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-06 11:33 130,522 a------- c:\windows\hpoins14.dat
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-30 16:43 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-30 03:31 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-09-30 03:02 737,280 a------- c:\windows\iun6002.exe
2008-09-16 21:27 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-09-15 14:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 03:14 1,307,648 a------- c:\windows\system32\msxml6.dll

============= FINISH: 22:28:18.25 ===============

GMER and HJT logs attached.

Thanks, really need help with that.

[Go The Power]

Hello and welcome to TSF

Please do NOT start multiple threads on the same problem.

Here is what it says in the forum rules:

Quote:

MULTIPLE POSTING

This refers to posting the same question or same replies in multiple areas of the site (also called flooding). Please only post only once. If you feel you have posted in the wrong forum, contact a Moderator or Manager, who will move the post for you. This also includes the creation of multiple new threads on the same or similar topics and sending PM's continuously to one or more Staff members.

Click here for the rules

This thread is Closed