MHTMLRedir.Exploit - Revisited

Guys,
Please give me some advice about my situation; there goes:
I am running XP Pro and have Symantec AntiVirus, that I religiously update as often as i get to the pc. Recently started getting a whole lot of popups and computer became very slow. At startup Symantec shows the following:
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Keylogger.Trojan
File: C:\WINDOWS\system\QBTool.exe
Location: C:\WINDOWS\system
Computer: TOLIK
User: Anatoly
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Thursday, August 04, 2005 1:30:23 AM

And sometimes this:
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: MHTMLRedir.Exploit
File: C:\Documents and Settings\Anatoly\Local Settings\Temporary Internet Files\Content.IE5\MXS3YTU5\stats5[1].htm
Location: C:\Documents and Settings\Anatoly\Local Settings\Temporary Internet Files\Content.IE5\MXS3YTU5
Computer: TOLIK
User: Anatoly
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Thursday, August 04, 2005 12:25:15 AM

but instead of fixing this it keeps happening every time I restart.
I tried the following: Spyware Doctor, SpyBot S&D, Ad-Aware, Hijack This and ETRemover (with directions from this forum) - all in vain.

Here is the logfile I get with HijackThis right now:
Logfile of HijackThis v1.99.1
Scan saved at 12:48:30 AM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\DOCUME~1\Anatoly\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system\eupihvfpp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Anatoly\LOCALS~1\Temp\Rar$EX00.582\Hij ackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\system32\lanbrup.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [o3tV37T] ershela3.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Anatoly\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [Z029RXfFh] ds170.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{86220112-BD54-4FB6-B531-00B0977BA0B2}: NameServer = 192.168.0.1,4.2.2.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


Obviously I am doing at least something (if not everything) wrong.
Please, HELP!

Are you connected to the internet directly, or do you have some kind of router, NAT, or hardware firewall?

Finally, do you have any kind of firewall in place?

Phoenix,

This is my second pc, so it is connected to the internet through a D-Link wireless adapter to the wireless router (D-Link DI 524) which is connected with my main pc. As far as I understand there is a firewall in the cable modem (Zoom Cable modem) or in the wireless router or in both (???)
As for the Windows firewall on this comp, it shows "ON" in the Win Security Center.
Meanwhile Symantec Antivirus came up with alerts a couple more times: KeyloggerTrojan, MHTMLRedir.exploit and last - Bloodhound.Exploit.21 . It shows them all as deleted but after I restart, it shows again...
I also just ran Spyware Doctor again and after finding a few problems - over 50, it managed to fix one or two, but comes with an error message for the other ones (Maxifiles, Trojan.Downloader.Pacimedia, Pops Stop and AFA Internet Enhancement) and leaves them alone. This is the error message: Access violation at address 7C912249 in module 'ntdll.dll'. Read of address FFFFFFF8.
I would very much appreciate any and all help with this - it's been driving me up the wall for days now

Thank you kindly!

This sounds more like a bad case of spyware infestation than viruses.

Have you formatted recently? and what do your "at idle" process lists look like thesedays?

If you're running XP Pro (not Home) Go CMD > "systeminfo", CMD > "tasklist", and CMD > "tasklist -svc" then copy 'n' paste all the info into here. (Preferably into a [code ] block)

Phoenix,
I have not reformated recently. Here is the list you need to see but i'll cut it into two as it doesn't fit more than 10000 characters:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Anatoly>"systeminfo", CMD
ERROR: Invalid Argument/Option - ','.
Type "SYSTEMINFO /?" for usage.

C:\Documents and Settings\Anatoly>systeminfo

Host Name: TOLIK
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: Tolik
Registered Organization:
Product ID: 55274-640-6339025-23699
Original Install Date: 10/3/2004, 6:22:58 PM
System Up Time: 0 Days, 14 Hours, 57 Minutes, 6 Seconds
System Manufacturer: Gateway
System Model: SANTORINI
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 8 Stepping 6 GenuineIntel ~7
97 Mhz
BIOS Version: GATEWA - 20010220
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 382 MB
Available Physical Memory: 101 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,006 MB
Virtual Memory: In Use: 42 MB
Page File Location(s): C:\pagefile.sys
Domain: MSHOME
Logon Server: \\TOLIK
Hotfix(s): 59 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: File 1
[04]: File 1
[05]: File 1
[06]: File 1
[07]: File 1
[08]: File 1
[09]: File 1
[10]: File 1
[11]: File 1
[12]: File 1
[13]: File 1
[14]: File 1
[15]: File 1
[16]: File 1
[17]: File 1
[18]: File 1
[19]: File 1
[20]: File 1
[21]: File 1
[22]: File 1
[23]: File 1
[24]: File 1
[25]: File 1
[26]: File 1
[27]: File 1
[28]: File 1
[29]: File 1
[30]: Q147222
[31]: KB834707 - Update
[32]: KB867282 - Update
[33]: KB873333 - Update
[34]: KB873339 - Update
[35]: KB883939 - Update
[36]: KB885250 - Update
[37]: KB885835 - Update
[38]: KB885836 - Update
[39]: KB886185 - Update
[40]: KB887472 - Update
[41]: KB887742 - Update
[42]: KB888113 - Update
[43]: KB888302 - Update
[44]: KB890046 - Update
[45]: KB890047 - Update
[46]: KB890175 - Update
[47]: KB890859 - Update
[48]: KB890923 - Update
[49]: KB891781 - Update
[50]: KB893066 - Update
[51]: KB893086 - Update
[52]: KB893803 - Update
[53]: KB893803v2 - Update
[54]: KB896358 - Update
[55]: KB896422 - Update
[56]: KB896428 - Update
[57]: KB898461 - Update
[58]: KB901214 - Update
[59]: KB903235 - Update
NetWork Card(s): 3 NIC(s) Installed.
[01]: Intel(R) PRO/100 VE Network Connection
Connection Name: Local Area Connection 2
[02]: Realtek RTL8139 Family PCI Fast Ethernet NIC
Connection Name: Local Area Connection
[03]: D-Link AirPlus G DWL-G510 Wireless PCI Adapter(
rev.B)
Connection Name: Wireless Network Connection
DHCP Enabled: No
IP address(es)
[01]: 192.168.0.99

C:\Documents and Settings\Anatoly>tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 16 K
System 4 Console 0 40 K
smss.exe 344 Console 0 56 K
csrss.exe 392 Console 0 75,620 K
winlogon.exe 416 Console 0 1,060 K
services.exe 460 Console 0 1,832 K
lsass.exe 472 Console 0 1,796 K
svchost.exe 620 Console 0 1,796 K
svchost.exe 668 Console 0 1,644 K
svchost.exe 744 Console 0 10,772 K
svchost.exe 844 Console 0 1,228 K
svchost.exe 948 Console 0 1,832 K
explorer.exe 1024 Console 0 11,976 K
ccSetMgr.exe 1088 Console 0 488 K
ccEvtMgr.exe 1116 Console 0 456 K
spoolsv.exe 1252 Console 0 1,372 K
DefWatch.exe 1456 Console 0 420 K
tcpsvcs.exe 1588 Console 0 576 K
svchost.exe 1684 Console 0 1,680 K
Rtvscan.exe 1700 Console 0 3,040 K
jusched.exe 2028 Console 0 428 K
alg.exe 2036 Console 0 480 K
ccApp.exe 212 Console 0 684 K
VPTray.exe 228 Console 0 1,560 K
AirGCFG.exe 240 Console 0 14,352 K
WZCSLDR2.exe 236 Console 0 13,036 K
igfxtray.exe 256 Console 0 516 K
hkcmd.exe 276 Console 0 528 K
pokapoka62.exe 328 Console 0 2,580 K
sysnet.exe 336 Console 0 1,604 K
eupihvfpp.exe 384 Console 0 904 K
cmappclient.exe 508 Console 0 4,956 K
svchost.exe 2852 Console 0 548 K
eMule.exe 2860 Console 0 11,244 K
swdoctor.exe 1904 Console 0 11,484 K
IEXPLORE.EXE 1280 Console 0 11,488 K
IEXPLORE.EXE 3912 Console 0 19,300 K
cmd.exe 2064 Console 0 3,104 K
wmiprvse.exe 292 Console 0 7,812 K
wmiprvse.exe 216 Console 0 4,776 K
tasklist.exe 2976 Console 0 4,296 K

C:\Documents and Settings\Anatoly>tasklist-svc
'tasklist-svc' is not recognized as an internal or external command,
operable program or batch file.

C:\Documents and Settings\Anatoly>tasklist svc
ERROR: Invalid Argument/Option - 'svc'.
Type "TASKLIST /?" for usage.

Part doux:

C:\Documents and Settings\Anatoly>tasklist -svc

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 344 N/A
csrss.exe 392 N/A
winlogon.exe 416 N/A
services.exe 460 Eventlog, PlugPlay
lsass.exe 472 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 620 DcomLaunch, TermService
svchost.exe 668 RpcSs
svchost.exe 744 6to4, AudioSrv, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
Iprip, LanmanServer, LanmanWorkstation,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, SharedAccess, ShellHWDetection,
TapiSrv, Themes, TrkWks, W32Time, winmgmt,
wscsvc, wuauserv, WZCSVC
svchost.exe 844 Dnscache
svchost.exe 948 LmHosts, RemoteRegistry, SSDPSRV, WebClient
explorer.exe 1024 N/A
ccSetMgr.exe 1088 ccSetMgr
ccEvtMgr.exe 1116 ccEvtMgr
spoolsv.exe 1252 Spooler
DefWatch.exe 1456 DefWatch
tcpsvcs.exe 1588 SimpTcp
svchost.exe 1684 stisvc
Rtvscan.exe 1700 Symantec AntiVirus
jusched.exe 2028 N/A
alg.exe 2036 ALG
ccApp.exe 212 N/A
VPTray.exe 228 N/A
AirGCFG.exe 240 N/A
WZCSLDR2.exe 236 N/A
igfxtray.exe 256 N/A
hkcmd.exe 276 N/A
pokapoka62.exe 328 N/A
sysnet.exe 336 N/A
eupihvfpp.exe 384 N/A
cmappclient.exe 508 N/A
svchost.exe 2852 HTTPFilter
eMule.exe 2860 N/A
swdoctor.exe 1904 N/A
IEXPLORE.EXE 1280 N/A
IEXPLORE.EXE 3912 N/A
cmd.exe 2064 N/A
tasklist.exe 3592 N/A
wmiprvse.exe 1112 N/A

C:\Documents and Settings\Anatoly>

Phoenix,

Just wanted to check if you have had a chance to look at my reply with the info you required (the system idle printout). I keep trying different things but it just seems to get worse instead of improving... Let me know if you need to see anything else.
Please, help if you get a chance!

Go to your MSConfig app ( Start > Run > "msconfig" (without the quotes)) and go to the "Startup" tab.

Uncheck everything, then reboot.

When you reboot, you should only see essential processes loaded.

Then, one by one, check back the items and reboot, eventually you'll spot the one causing the popups.

Tell me when you've isolated which one (or more) is causing the popups and I'll let you know how to remove it.

you have a mywebsearch infection among other things...a couple more adware's on your pc as well. Rbot.api worm is another thing you have.

I would give you detailed instructions on how to go about cleaning you pc, but i'm swamped at work. I can however give you links to point you in the right direction.

First off follow the directions pertaining to your system at the following websites
http://www.spywareguide.com/product_show.php?id=1124 to handle pokapoka62.exe
http://es.trendmicro-europe.com/ent...e=WORM_RBOT.API to handle Rbot.api (sysnet.exe)
http://castlecops.com/zx/Trpm/Adware_Casclient.txt (to handle cmappclient.exe)
http://securityresponse.symantec.co...afesurfing.html To tackle lanbrup.exe
http://www.bleepingcomputer.com/for...exe-t19277.html to tackle VCMnet11.exe

I would suggest you download the following freely available software:
Adaware: http://www.lavasoftusa.com/support/download/
Spybot S&D: http://www.download.com/3001-8022_4-10401314.html
Ewido Sec Suite: http://www.ewido.net/en/download/

perform a free online scan at the following website...
http://www.trendmicro.com/housecall

you also need to remove the following entries form your hiajckthis log by using the fix option. REMEMBER to unzip hijackthis to its own folder first.


i wish i had time you describe to you the oder in which you need to carry out these instructions but time is not something i have in plenty now.

You should also download a the following tool to use towards the end of your clean up
CCleaner http://www.ccleaner.com/