WARNING - Intelligent Explorer Virus

12/7/03 | TC

[Tumbleweed_Connection]

I sat dont at my station over an hour ago and responded to an Explorer upgrade option without thinking.

This ISN'T a normal option, it was simply a pop-up. Without thinking I responded to upgrade and downloaded a nightmare.

I have yet to break this.

It consists of an additional bar which creates a new home page, http://find.intelius.com with files I've deleted in addition to wwd.ieplugin[1] - and proceeds to iniate infinite pop-ups of EVERY type out of http://www.n-case.com.

ANYTHING internet related will be tattooed with the new bar. View - Toolbars - Intelligent Explorer" will eliminate the bar from your current page but each new one you bring up will require you to go through the process of removing it again.

[martin_fierro]

I don't use the Mozilla browser, but I do use the Opera one. None of the recent Windows Updates have messed with that.

Hadn't heard of the Mozilla/Win Update problem before.

[StriperSniper]

Thanks for the reply, maybe it was just that posters individual computer. I haven't had any problems with any past updates, but I didn't want to temp fate just as I was getting a handle on it. ;-)

[Pagey]

bttt

[Palladin]

Ad-Aware is great! I thank all the Freepers who recommended it to me.

[Mixer]

Some more info, with removal instrustions, that I found. W#ill keep trying to help you if you need it. For now check out this link.

http://www.doxdesk.com/parasite/nCase.html

[Tumbleweed_Connection]

I've tried everything I can think of and continue to become more and more locked by this thing. Since it won't allow me internet access I'm using another station.

Time to abort and erase. Haven't cleaned off an HD for a long time and want to move this along. Made a Windows start-up disc before this was critical. What's the best way to do this and can I save my DOS?

[Tall_Texan]

Here's an update. The problem still reappears but SpyBot is at least giving me hints on who/what it is. There is something called "CoolWWWSearch" that is highjacking the registry and changing the homepage default to their webpage ("Lucky Search" usually) and then changing it to "about blank" in IE to cover its tracks.

It must have an .exe or .scr embedded somewhere that triggers this as it keeps returning. It doesn't happen everytime I launch the browser, or everytime I start my computer or even every day but about once every two or three days this pops up.

If I find out a better solution, I'll let you know.

[Tumbleweed_Connection]

Seems to be search engines and browser which are behind this. Not only are they attempting to overtake your preselected, but they are creating pop-ups as well. One was advertised on Drudge. I've found 2 of these and buried them but they regenerate, either different ones or pop-ups which state that someone may have uninstalled it without your permission and 2 of the 3 options lead to reinstalling.

I'm not going to get rid of this, have very little access to anything on my station, and recommend fast back-ups once you recognize any of these trying to attach itself to your HD.

[js1138]

Most versions of Windows allow a reinstall that reinitializes your registry but saves all your data files. This means you have to reinstall all your programs, but the documents will be untouched. There are some other consequenses of this, such as losing all the version updates that may have been installed fron the net. This is a big deal if you have dial-up.

[Tumbleweed_Connection]

Bloody Sam Roberts told me about "deltree/y\>nul" but I can't get it to run.

[Tall_Texan]

This is the problem I had:

http://www.doxdesk.com/parasite/CoolWebSearch.html

Holly, halfway down the page, you'll see a link with the name of a Dutch guy who has a program called "CWShredder" that's there to remove the "CoolWWWSearch" trojan/hijacker. If this is the problem you are having (and SpyBot should tell you if you do), then download and run this very small program.

Again, I'll need a few days before I'm sure this has been resolved but I think the solution is at hand.

Thanks, Mixer and TC for your help and advice. What a wealth of info FReepers can be!

[Mixer]

Thanks, Mixer and TC for your help and advice. What a wealth of info FReepers can be!

Anytime, glad I could help. I work in IT as I suspect many FReepers do. It's nice to know that people can help each other in this way with problems such as this. If ever you need help and are lost you can either ping me to a thread or FReep mail me and I will see what I can do/find.

[Kareem]

Do the following to manually remove Intelligent Explorer:

1. Close Internet Explorer
2. Click Start
3. Click Run
4. type "regsvr32 systb.dll /u" (without the ")
5. Press "enter" OR "return"
8. Type "msconfig" (without the ", msconfig is usually located in your windows/system directory)
9. Click on "Start Up"
11. "untick" WUPDT
12. Restart your computer
== once computer restarted ==
13. Click Start
14. Click Search
15. Click For Files or Folders
16. Search for "systb.dll" (without the ")
17. Click on systb.dll on your right once it's found
18. Right mouse click and click on delete
19. Search for "winobject.dll" (without the ")
20. Click on wupdt.exe on your right once it's found
21. Right mouse click and click on delete

-or-

Visit http://www.ieplugin.com/uninstall.html for an automatted removal tool.

[Tumbleweed_Connection]

Thanks for the response but I have already erased/reformatted/reloaded every HD on the LAN.

Amazing how focused Microsoft is on eliminating DOS based OS. What are all of us old hands-on geezers going to do when we are the only people who can use it? It doesn't make sense to me that software would migrate and I have too many doc files which I treasure like my cigars.

[krum]

After reading this thread I followed your link to HiJackThis which said to paste the results of the log file here at the forum for you to see...
Okay, well, here it is... too bad there is not an attach feature... Hope you can tell me how to get rid of this search engine: Intelligent Explorer. I suspect I got this when it perfomred one of those dirty tricks by popping up a window when I was in mid click on something else. I am a fast typer so this happens occasionally. I never install this kind of crap. :/
Logfile of HijackThis v1.97.7
Scan saved at 10:36:26 PM, on 2/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinVNC\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\msbb.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\DownloadWare\dw.exe
C:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Popup Ad Filter\PopFilter.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Macromedia\Flash MX\Flash.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\TO CD BURNER\APPS\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D14641FA-445B-448E-9994-209F7AF15641} - C:\WINDOWS\SYSTEM32\mbho.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\ThrustMaster\ThrustMapper\TMTMTSR.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\WinVNC\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CD Autorun] C:\Program Files\TweakNow PowerPack\CDAuto.exe
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\TweakNow PowerPack\RAM_XP.exe
O4 - HKLM\..\Run: [CpuIdle] C:\Program Files\CpuIdlePro\cpuidle.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [GNUBIP] C:\WINDOWS\GNUBIP.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Popup Ad Filter.lnk = C:\Program Files\Popup Ad Filter\PopFilter.exe
O4 - Global Startup: Yahoo! Messenger.lnk = C:\Program Files\Yahoo!\Messenger\YPager.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Allow Popups - C:\Program Files\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .xar: C:\Program Files\Internet Explorer\PLUGINS\NPXaraC.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Exploder - http://download.games.yahoo.com/games/clients/y/vtk_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.7632986111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab

[mhking]

At least at first glance, the one line that stands out as glaring (to me, anyway) is: O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

That looks like a call out to a site, which in turn, pulls a .cab file in each time you boot.

There are people at the SpywareInfo support forums (http://www.spywareinfo.com/forums/ ) and at the HijackThis forums (http://tomcoyote.org/forums/ ), who can probably give you a better handle on what's what.

If there's anything else that looks unfamiliar, a method I've used in the past is to Google the file name. Generally, I can determine the identity and function anything nebulous using that method.

I'm glad that HijackThis is working for you. I've used it (along with AdAware, SpyBot S&D, and other tools) for a couple of years and swear by it. Good luck!

[SevenDaysInMay]

bttt

[Wumpus Hunter]

"An excellent alternative to "Spybot" is "Ad-aware"

Neither one is an alternative to the other. I find they compliment each other.

Use them both, as each will catch things the other one dosen't.

[schnizzo]

check Arcadevault.com and wait for Int.Browser download to appear and link will show you how to get rid of all that was downloaded from that .Happened to me.Took about 1 hr to clean it up.also go to www.pacs-portal.co.uk,this site is invaluable for info to clean up your pc from messes like that.Has pages that states all files and if important and if viruses(and provides links to free programs to clean viruses that you might have)This person writes all his own programs.EXCELLENT!! When you mentioned...n-case...i knew what mess you were talking about....SCHNIZZO GOOD LUCK!!!

[schnizzo]

I do not think this is a virus.It is a program which is from an English Firm which monitors everything you do,go, look at etc.,etc.,etc.,and sends you info on what they think you might be interested in buying.It is nothing but a big pain in the ...well you know what.It is a modified trojan which does no harm but you need the uninstall files to rid your self of the mess it leaves and ,as i said it is at ARCADEVAULT.COM.and wait for BROWSER PLUGIN TO SHOW UP.That is why they call it INTELLIGENT EXPLORER for all that it does...again GOOD LUCK...SCHNIZZO ps at www.pacs-portal.co.uk look for page that has startups and then find wupdt.exe and it will rid you of it coming back.....