TechSpot

Completed step 8 logs attached

By arbor13
Nov 20, 2008
Topic Status:
Not open for further replies.
  1. internet explorer slow to open,task manager shows two instances of iexplore.exe I believe I have some type of infection. I would appriciate any help.

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi arbor13

    When any cleaner is ran, it is possible that after one run that removes certain powerful Malware, then it exposes more that were not even seen on the first run.

    The goal is to get these to come up clean or find something it can not handle.

    So run both MBAM and SAS again and post the logs.

    Good job so far.

    Mike
  3. arbor13

    arbor13 TS Rookie Topic Starter

    iexplore.exe

    ran both programs again, came up 0 detected. still slow internet explorer slow to open,task manager shows two instances of iexplore.exe I believe I have some type of infection. I would appriciate any help.
  4. mflynn

    mflynn TS Rookie Posts: 2,793

    hi arbor13

    Yes you likely do have more!

    OK next step.

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-clickto RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Copy and paste the Report.txt file to your next post.

    Mike
  5. arbor13

    arbor13 TS Rookie Topic Starter

    Mike,
    Ran the SDFix program. Here is the log file:


    SDFix: Version 1.240
    Run by paul schneeweiss on Mon 11/24/2008 at 09:32 AM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    No Trojan Files Found






    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
    Rootkit scan 2008-11-24 09:47:03
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\eSignal\\winros.exe"="C:\\Program Files\\eSignal\\winros.exe:*:Enabled:eSignal Data Manager"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files :



    Files with Hidden Attributes :

    Thu 29 Aug 2002 24,448 A.SHR --- "C:\NTBOOTDD.SYS"
    Wed 10 Jan 2007 30,720 ...HR --- "C:\WINDOWS\CdaC13BA.EXE"
    Wed 10 Jan 2007 112,128 ...HR --- "C:\WINDOWS\CdaC14BA.DLL"
    Fri 22 Aug 2008 637,984 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
    Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
    Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
    Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
    Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
    Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
    Sat 5 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
    Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
    Mon 13 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Thu 21 Dec 2006 19,762,176 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL0005.tmp"
    Thu 4 Jan 2007 2,050,048 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL2070.tmp"
    Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL0332.tmp"
    Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1234.tmp"
    Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1591.tmp"
    Tue 4 Nov 2008 19,968 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3575.tmp"
    Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3992.tmp"
    Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
    Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\Application Data\Microsoft\Word\~WRL0004.tmp"

    Finished!

    Thanks for your help. What next? Internet explorer still slow to load and 2 instances of iexplore.exe still in task manager.
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi Arbor

    Thought you weren't comming back.

    Do the below and ATTACH the log!

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    After the above (not before) then post a new HJT log

    Once I see this log clean we will address your slowness and IE issues. But Malware removal comes first.

    Just so SOMEONE thinks I am missing multiple Virus Scanners I am not, and this HJT log may or may not get cleaned this time, but will be before we are finished.

    Mike
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Well Mike, I DO notice and will take issue at the multiple antivirus programs running not being handled.

    arbor13, only one antivirus program should be running. You have processes loading from 3 antivirus programs plus you have an online scanner running in the background. The reason this needs to be handled now is because the multiple programs can cause a conflict that may leave you with little or NO AV protection. Decide which one you want to keep, remove the entries for ALL of the other programs, uncheck them on startup and unistall them.

    Additionally, you're running Nortons Ghost, backing up your infected files. You need to disable that program for now. When you system us clean, the old infected restore points will be dropped- they show infected in Mbam- so do NOT use system Restore, so why continue backing up infected files?

    These are the entries, programs and Services you need to be concerned with:
  8. mflynn

    mflynn TS Rookie Posts: 2,793

    Ok Arbor

    You can do the above now if you want.

    My priority is to get you clean of Malware and then address these system issues.

    If you do the above first before we get you clean my recommendation is Avira if you get rid of one.

    Or if you like Mcafee then you can actually have to Virus scanners as long as only one is online Active. In this case it is a on Command scanner and has to be explicitly updated and ran.

    Your choice.

    The AVG Antispyware is defunct and needs to be uninstalled.

    All of these I would do when you are clean.

    Mike
  9. arbor13

    arbor13 TS Rookie Topic Starter

    Two IEXPLORE.EXE Processes

    Mike,
    Followed your instructions:

    The Combofix.exe log and HJT log are attached.

    I have comcast cable internet service and they provide free Mcafee, so I would like to keep that, unless there is something better.

    I read the other reply and am not sure how to go about removing the other scanners, or how to keep it loaded but only when I want to run it.

    Please let me know and I will make those changes.
    Thanks,
    Paul
  10. mflynn

    mflynn TS Rookie Posts: 2,793

    OK so we keep Mcafee

    Reboot

    Run Combofix again and post log

    Use HJT Scan only to remove the below.

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
    O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

    Then go into Control panel Add/Remove programs and uninstall AVG Anti-Spyware and Avira AntiVir

    Post new HJT log after all the above.

    Mike
  11. arbor13

    arbor13 TS Rookie Topic Starter

    Next step

    Mike,
    Followed your last instructions.

    Attached are the new Combofix log and the HJT log. Also removed AVG anti-spyware and Avira AntiVir.

    Just a quick question. I have been trying to keep up with what is being done, but wondering what type of Malware this computer is infected with. Is it still infected?

    Will await further instructions.
    Thanks for your help,
    Paul
     
  12. mflynn

    mflynn TS Rookie Posts: 2,793

    Ok well you don't now you are clean

    except appearently you did not do the HJT deletions.

    Run HJT Scan only place check mark in boxes by these and then delete
    O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
    O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)

    At your option in Add/Remove Programs uninstall a2 not a cpu hog but not really needed

    As to what you had, read the MBAM logs look under infection and found deleted quarantined and you will see them.

    I am at work now but will make closing suggestions on how to stay clean later tonight or in the morning.

    Mike
  13. arbor13

    arbor13 TS Rookie Topic Starter

    Additional Questions

    Mike,
    I followed your last instruction and removed the 2 HJT entries. Also removed A2.

    I then opened Internet Explorer and still have the same problem, with 2 processes showing up in task manager. One of them is 25,272K and the other is 1,076K (just leaving IE open). If I try and End Process on the small one, Internet Explorer closes immediately. If I try and End Process on the larger one, I get a little bubble saying that "This tabs has been recovered A problem with this webpage caused Internet Explorer to close and reopen this tab" and the mem usage goes down to about half and then back to 25K again.

    I'm concerned that there still is something wrong with this computer. Please let me know what you think and how to proceed.
    Thanks again,
    Paul
  14. mflynn

    mflynn TS Rookie Posts: 2,793

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    What are the names of the processes? Spelling must be exact.
  16. arbor13

    arbor13 TS Rookie Topic Starter

    Two IEXPLORE.EXE processes

    Sorry it took so long to reply, but I was away for the holidays.

    Mike, I followed your instructions and RESET internet explorer. Did not help.

    Bobbye, there are two IEXPLORE.EXE processes that show up in Task Manager as soon as I open internet explorer.

    Without doing anything in Internet Explorer but opening it, this is what shows in Task Manager:

    iexplore.exe username 00 17,152 K
    iexplore.exe username 00 19,412 K

    If I end task on the smaller one (first one) it closes internet explorer immediately and both processes disappear. If I end task on the larger one (second one) both processes remain and I receive an error message in internet explorer stating "This tab has been recovered A problem with internet explorer cause it to close and reopen this tab".

    I have checked other computers, and they only show 1 entry in task manager. Therefore, I think I am still infected with something on this computer. No idea what though. Hope you can point me in the right direction.

    Mike has been very helpful to this point.

    Thanks in advance for your help and support.
    Paul
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This was overlooked:
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00

    IE8 is still in beta testing. That means there are still bugs to work out. Only beta testers should be using the beta versions of software.

    Suggest you uninstall IE8 and go back to IE7 if that's what you were using.

    That possibly might be the problem.

    EDIT: IF this hasn't been done, please verify that this is your ISP:
    From description of OpenDNS: To use OpenDNS, all you have to do is open your Network Connections or Router’s settings page and update the default DNS server to point to the OpenDNS nameservers that are 208.67.222.222 and 208.67.220.220.
    208.67.222.222
    OrgName: OpenDNS, LLC
    OrgID: OPEND-2
    Address: 199 Fremont St.
    Address: 12th Floor
    City: San Francisco
    StateProv: CA
    PostalCode: 94105
    Country: US
    O17 - HKLM\System\CCS\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
    O17 - HKLM\System\CS1\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
    O17 - HKLM\System\CS2\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
  18. mflynn

    mflynn TS Rookie Posts: 2,793

    Good catch Bobbye

    I did miss that it was IE8, I think you hit the nail on the head.

    I will add that after you uninstall IE8, that if you still have issues that you consider overlaying /reinstall IE7.

    Bobbye may have some thoughts on this also.

    Mike
  19. arbor13

    arbor13 TS Rookie Topic Starter

    Another Question

    Bobbye & Mike,

    I uninstalled IE8 and am back to IE7 with all 13 updates. IEXPLORE.EXE only appears once in the task manager and it loads the first page in about 3 seconds. Much better.

    I was wondering if you could look at the attached file (screen capture) of my task manager.

    GoogleDesktop.exe is showing up twice. Also, SVCHOST.exe shows up 6 times. Is this normal or is there still a problem with this computer?

    Thanks again for your help in getting Internet Explorer running again and removing the MALWARE.
    Paul
  20. arbor13

    arbor13 TS Rookie Topic Starter

    Bobbye & Mike,

    I also wondered what I would need to clean up (delete) from all of the MALWARE scanning programs that were downloaded to my computer. Please let me know.

    Thanks,
    Paul
  21. mflynn

    mflynn TS Rookie Posts: 2,793

    I don't know about Google desktop. I don't use those things as they are already available on the net. It very well could be normal.

    The 1% Cpu usage shows it is not hogging the cpu.

    Perhaps someone that uses Google Desktop.

    OK here is the cleanup you wanted.

    If you Downloaded the Attachment Fixit then just delete it.

    Thread closing-------------------------------------------------------------------------------------------------------------
    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.
    These tools update so often they require downloading again later if needed.

    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

    If prompted to Reboot click Yes.
    OTCleanit will delete itself when finished, if not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html
    -------------------------------------------------------------------------------------
    The issues found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

    If they find something they can not clean then get back to us.

    Additionally run CCleaner.

    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to co-exist with other Virus scanners.

    Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
    Hostman http://www.abelhadigital.com/2008/07...-released.html

    A Disk scan and Defrag are in order.

    Mike
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Paul, I'll check the Task Manager. But in the meantime:

    Remove the cleaning tools:

    Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
    I'll come back with an EDIT for the Task Manager Processes.
    Clear system restore points
    Clear your existing system restore points and establish a new clean restore point:
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    New post for Processes in Task Manager:
    Paul, this is more than you asked for. I have omitted some processes that need to run as part of the OS. Others, I have identified- some of which you can stop: those are marked 'non-essential'
    Others say NO, meaning you should remove them from Startup or change Service Start up to wither Manual or Disabled/
    The program or process can then be started manually of needed:
    Use what you want, ignore the rest:

    Windows Task Manager
    1. aawservice.exe > AdAware 2008- from Service in 023

    You have two Fax Services running. Do not need to either startup or run unless you are actively using them
    .

    None of the following need to startup and can be started manually when needed:Non-Essential means not necessary to start on boot"
    From Google Groups:
    McAfee Processes:
    Scanners: No
    The following are normal processes. I have 9 usually showing
    NOTE: Some of these processes are controlled on the stasartup menu:L Stasrt> Run> msconfig> enter> Selecive Strtup> Startup tab> UNCHECK any you don't want to startup> Apply> OK

    Others are controlled according to the Startup type set for Serrvices
    When through reboot te computer. You will get a nag message thst your can ignore after you check 'don't show this message again.' Stay in Selective Startup.
  24. arbor13

    arbor13 TS Rookie Topic Starter

    Mike,

    Followed your directions. Got to the last one about Hostman, but when I clicked your link it went to a page that says "The blog you were looking for was not found."
    Everything else worked fine.

    Bobbye,
    Thanks for all of the information on the task manager. From all of your details, it doesn't look like I have anything suspicious left. I will get rid of the non-essential stuff.

    Thanks again to both of you for you help, I really appreciate it.
    Paul
  25. mflynn

    mflynn TS Rookie Posts: 2,793

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.