Need some virus removal help

[mhubbard]

Hey all. Thanks in advance for looking at my problem:

Last night my son downloaded a file and ran it. When he did it said please select file to crack. I knew right away this was bad. I noticed wintems.exe was running and an exefld folder was in Windows dir. I killed the wintems process, deleted the exefld fir, did a search on wintems.exe and found all the registry keys it uses. Now wintems is gone, but IE hangs when you start it up and I also notice that the exefld folder is back, no matter how many times I delete it it comes right back. I did a scan using my version of Mcafee with latest engine a dat files but I read this my give a poor result due to the virus. I did a complete scan and it came up clean. I noticed when I delete the exefld folder, it stays gone until I run IE. As soon as I run IE the folder comes back.

A couple other things: the computer blue screens when trying to go safe mode. Also it kills my Mcafee services as soon as I log in. These 2 issues I am still having. Below is my HJT log. Nothing really stands out to me but maybe one of you will see something I don't. I also have a combofix log as well. If you need it as well let me know. I really appreciate all your help. I spent about 5 hours last night and once I though it was fixed then it screws up again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:55 AM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
C:\WINDOWS\system32\Grxp4exe.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PhilipsDM] C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe OS_STARTUP
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [L07AXLRD_40662093] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2007 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179285196875
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://email3.uncg.edu/dwa7W.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 5625 bytes

[CCT]

Sorry to say, but imo your 5 hours last night would have been better spent copying off anything of value, zero-filling and re-installing.

If you have access to a bootable anti-virus disk you might be able to clean everything up. Should still copy off anything of value NOW!

[Ferrit]

You need to shut off system restore an then go to
www.bitdefender.com
and do an online scan with a real anti virus
There are several antivirus packages which can be run off a usb stick or cd or floppy

[NooNoo]

McAfee should kill it although the damage might already have been done to McAfee. wintems is only one file.

You didn't say whether you had disabled system restore when removing the problem and you didn't mention hidr.exe or m_hook.sys

symantec have more detailed removal instructions

[mhubbard]

Thanks for the quick replies.....

I almost agree with CCT on starting clean. But I have a 500GB drive with almost 400GB being used. It will take me some tiome to offload some of that and start over. I wonder if I could get away with deleting the Windows installation and reinstalling XP?

NooNoo, yes the hidr.exe and m_hook.sys. I actually found a registry entry for the hidr.exe but it was nowhere to be found on the pc. I did a simple search. The m_hook.sys I never found any trace of.

I wasn't able to do an online scan due to IE hanging, but I went and disabled all add-ons for IE and now IE is up and running so I can do some online scans now.

First before anything else I will copy off the super critical stuff off like baby pics, etc. If I lose those then the pc virus will be the least of my problems

[CCT]

You did try a system restore to some time earlier? (copy copy copy first tho!)

[geoscomp]

just as an aside, if you have only one partition, having 400gb on a 500 gb drive is putting you close to the drive not being able to be defragmented. You need 15% free to be able to do that, and right now you are at 20% free, not to mention the possibility of a hard drive failure causing you to lose all of what you have.
When you looked for the above files, did you have the computer set to show hidden and system files?

[mhubbard]

Geoscomp, I appreciate your input and I know you mean well but I could care less about how full my drive is right now. I have a lot of stuff and most of it is backed up but the backups may be a week or 2 old. I know very well about the 20% rule as I have been in IT for 15 years but sometimes I just cant abide by the rules Lets fix the problem at hand then we can worry about whether I can defragment my machine...

Ok back to the discussion at hand....

I disabled system restore when trying to clean up which as you know when you disable system restore it disables all earlier restore points.

Also, yes, i have the folders set to view all files, hidden system, protected, etc...

[geoscomp]

Ok..then you also know that a fragmented drive can cause blue screens in safe mode..when you did the reg cleanup, did you do this?

Using Task Manager, terminate the process called anti_troj.exe.
Delete the Trojan file %System%\anti_troj.exe.
Delete the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"anti_troj" = "%System%\anti_troj.exe"
Delete the following folder:
%Windir%/exefld/

The reason the folder shows up when you open internet explorer is that this is a downloader trojan (win32.bagel.h) that will download the file again whenever you go on the internet.

[mhubbard]

Thanks, actually did not know that a fragmented drive would cause a blue screen in safe mode. I just assumed since it has booted in safe mode in the past and people report that failure to enter safe mode is an issue associated with this virus then that had to be it.

The anti_troj.exe I have searched for several times in the regsitry and on the pc. This seems to be one of the more popular files people report but I have not seen this file at all. I will for fun look one more time and report back.

Sorry if I was rude as I am extremely frustrated.....

My gut feeling tells me I have done everything I can probably and should begin thinking about the inevitable.....

[NooNoo]

Well this time, make a 20gb system partition and put all the data on D: drive... you know you can move My Docs to D:/

[mhubbard]

Well this time, make a 20gb system partition and put all the data on D: drive... you know you can move My Docs to D:/

Aboslutely!