Resolved Blue screen, Artemis, and multiple iexplore.exe

Status
Not open for further replies.
Status: Frustrating.

It takes several minutes for Firefox to load, and I'm getting redirected on Google searchs (I can type an address in the address bar and get to the correct site, but if I click any of the links from a Google search, it connects me to various odd sites).

I'll also have a window open in Firefox, and a window from Explorer will pop up?

What's my next step Bobbye?
 
It would be helpful if we can get this down to a particular set of problems.

This is what you described as the original problems:
My computer is running slow and I had a blue screen yesterday. McAfee today said that a trojan was removed: Artemis!D7A66DDA4489. Also, I noticed in Tasks that (2) iexplore.exe were running.

Now you are telling me:
t takes several minutes for Firefox to load, and I'm getting redirected on Google searchs (I can type an address in the address bar and get to the correct site, but if I click any of the links from a Google search, it connects me to various odd sites).

I'll also have a window open in Firefox, and a window from Explorer will pop up?

So I told you about IE8 having multiple iexplore.exe processes.
And that a random BSOD isn't anything to worry about unless there are other related problems,
And I stated that a slow computer could have many causes.

Pop-up Window:
How do you know this is from IE? What does it show? What does it have on it?

Slow load:
Take your add-ons off of Firefox and see how much difference it makes, if any.

Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni
====================================
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • c:\windows\system32\userinit.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Post results of both in new reply.
 
Sorry for the moving targets. Here's what is currently happening:

I start my computer and almost 2 minutes later, it gives the log in prompt. At 4 minutes, I get a notice that the System Configuration Utility is "currently in Diagnostic or Selective Startup Mode." Then the System Configuration Utility comes up. Next is "An access Denied error was returned while attempting to change a service. You may need to log on using an Administrator account"

It took IE a total of 7 minutes to come up. I shut down the computer and then tried it with Firefox ... it took approx 12 minutes. After Firefox finally came up, an additional window come up titled "Downloading Registry Cleaner - Windows Internet Explorer" (no ... I didn't download).

Also, I am still getting redirected with searchs. I searched both Yahoo and Google on IE for "techspot.com" and here is what I got:
with Yahoo: http://se1.93705.asklots.com/jump2/?affiliate=se1&subid=93705&terms=techspot.com
with Google: http://www.juggle.com/search/?q=techspot&t=R177356&ref=368-1975836850&s=R1&campaign=77356&medium=R

I wasn't able to save the logs from VirSCAN.org to the clipboard but all three scans came back "Scanner results : Scanners did not find malware! "

Here's the log from Bootkit Remover:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Additional info:

Started computer this morning. It took 12 minutes until Firefox came up. I deleted all add-ons (except McAfee SiteAdvisor, it wouldn't let me delete).

I restarted the computer and it took another 12 minutes for Firefox. Then I got an Unresponsive script message and then an IE window came up before I could read the Unresponsive script. The IE window was "Dragon Naturally Speaking - MacSpeech Dictate - Windows Internet Explorer. It also said at the bottom of the screen that it was waiting for "nuance.com/talk ..." (it went away before I could read it all).

Then the Unresponsive script was visible again:
Script: file///C:/Program%20Files/Mozilla%20Firefox/components/nsSessionStore.js:2150

I also noticed in Task Manager that Jmq.exe is now running ... that wasn't there when we first started. Does any of this help?
 
Update:

Reset router and that took care of the redirect problem. Just rebooted and no extra windows opened.

So now the only problems are 1) System Configuration Utility coming up every time the computer is started and 2) load times are still in excess of 10 minutes.
 
False Hope. Resetting the router didn't take care of the redirecting ... I'm still getting it, in both IE and Firefox.
 
Okay, let's take this one at a time:

1. Regarding msconfig
Whenever you make a change in the Startup menu using msconfig, you will choose Selective Startup, then the Startup tab. For a reason I have never understood, Windows doesn't consider Selective Startup a valid mode to run in.

So it gives the nag message on the first boot after the changes. It well keep giving the nag message until to make it clear that you do not want to see it again!. All you have to do is check 'don't show this message again', then close it. You must stay in Selective Startup to keep the changes.

And any time you make another change using msconfig, the first boot will bring up the same nag message. Once you've finished setting the Startup menu, ignore and close the nag message and it shouldn't come up again. It's very intimidating when you don't know what it means or how to stop it!.As for running in Selective Startup> all my computers run from that from the second day I get a computer!

2. For the IE pop-ups, please run the following:

Download Bootkit Remover and save to your Desktop
  1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  3. You will see a Black screen with some data on it.
  4. Right click on the screen and click Select All.
  5. Press CTRL+C to Copy
  6. Open a Notepad and press CTRL+V to Paste.
  7. Include the report in your next post.
Credits to Broni
 
Thanks for the info on msconfig. Here's the log:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Okay, next step:
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0 
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0 
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
Here's the log after running remover again:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Run this please:
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0 
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
I've had a very hard time getting this copied and pasted ... the last log that I posted I had to copy it to Word (it wouldn't do it in Note Pad). This time it wouldn't even let me copy it Word, but I tried one more time and was able to get it into Note Pad.

It appears that I'm getting the same results with the script ... am I doing something wrong? Thanks!

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Okay. But don't even try Word- it has to be Notepad. What kind of problems did you have? You just open Notepad and paste the codebox content into it, then continue with directions: Please do this now:

  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0 
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
Here's what I get when I run fix.bat. I wasn't having any trouble copy & pasting your code ... just having trouble copy and pasting the results to Note Pad.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Kent\Desktop>

And here's the latest results from remover.exe

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
I got the same results as the last four times. However, this time I am unable to copy and paste the results into either Note Pad or Word. I'm doing "select all" and then "Ctrl c". When I do "Ctrl v" and try to paste into Note Pad, it does nothing, the cursor just continues to blink.
 
I kept trying and was finally able to paste into Note Pad (I opened a random Word document, copied, and then pasted ... I couldn't get it to paste into Note Pad the first time, but after several tries I finally got it to work. Then I went back, ran remover.exe again and it let me paste the results into Note Pad):

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Please do this now:
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0    
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Please do this:
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    EXIT
  • Go File > Save As
  • Save as Type choose All Files
  • For File Name type fix.bat
  • Save In> choose Desktop
  • Save
  • Double click to Run fix.bat
(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!
 
I have run fix.bat & remover.exe 9 times with the same results. Will you please let me know what this is accomplishing or how many more times I will need to run these processes? I would like to better understand the process so that I know what to expect. Thanks, and here's the latest log:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: d4b876239615e81ab805b6a9431ee920

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Status
Not open for further replies.
Back