Iexplore.exe processes pop up, apparent rootkit infection

Inactive
By DoktrMik
Jul 24, 2010
Topic Status:
Not open for further replies.
  1. There seem to be a number of people with this issue, and I've tried to follow some of the other threads here to resolve.

    When connected to the net I get a pair of iexplore.exe processes appearing and then popups randomly appear. When I'm not on the net there's no noticeable problem.

    I've attached DDS and GMER logs, but also tried the eSage Bootkit Remover which believes I have a problem:

    ----------------
    Bootkit Remover
    © 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 305658c5e95259df8541c6683a71d729

    Size Device Name MBR Status
    ---------------------------------------------------
    465 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks

    --
    Unfortunately a fix operation doesn't resolve this (using the creation of a .bat file I've seen on these forums). I still get this message and I'm wondering if perhaps I need to consider running the Recovery console and doing a fixmbr...

    Thanks in advance for any suggestions.
    DM

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    Malwarebytes log is missing, so please, provide that.

    Also...

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
  3. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Hi Broni, Thanks for your reply.

    Sorry 'bout missing the log. I ran several iterations of Malwarebytes, so I'll have to include them all. Originally when i got the virus it would not let me start MBAM nor browse to their web site but after starting MBAM in safe mode I was able to update and move past that issue.

    Notices of infection from MBAM logs (I can attach the full log files if you want)

    Files Infected:
    C:\System Volume Information\_restore{82431C6D-9B9C-4BFD-842B-FA5E1956B109}\RP488\A0082413.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{82431C6D-9B9C-4BFD-842B-FA5E1956B109}\RP488\A0082427.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{82431C6D-9B9C-4BFD-842B-FA5E1956B109}\RP488\A0082518.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Temp\regbak\ERDNTWIN.OVL (Trojan.Banker) -> Quarantined and deleted successfully.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.79,93.188.166.229 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce8b9f7f-8036-41d9-b0de-3f644b017594}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.79,93.188.166.229 -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.


    As you suggested, I ran MBRCheck:


    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 MBR Code Faked!
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Done! Press ENTER to exit...



    Thanks again!
  4. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    OK. Now you have to explain to me, what all those drives are and where is Windows installed.
  5. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Windows is installed on C. The other partitions don't contain an OS but are used for music, artwork, backups, etc. They just contain files, in other words, and I'd never boot from them.
  6. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 0 (zero).
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
  7. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Really appreciate your help...

    MBRCheck, version 1.1.1
    (c) 2010, AD


    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 MBR Code Faked!
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:

    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive:

    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

    Please reboot your computer to complete the fix.

    Done! Press ENTER to exit...

    ---

    I rebooted without issues, and ran MBRCheck again:

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done! Press ENTER to exit...
  8. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    Restart computer and check for iexplore.exe issue.
  9. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    It actually looks good! :D

    Do I need to worry about the MBR code detected on the other drives? I assume I should also do another full MBAM scan to check things are OK?

    Many thanks, Broni. It makes me mad that there are people writing these viruses, but it makes me happy that there are people like you around to help out :)
  10. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Dammit, I spoke too soon. After a few minutes some iexplore.exe processes turned up. I killed them and disconnected.

    Things have improved though. Before when I'd go online by AV software would immediately complain that it was blocked IP connections. Now that's gone but I guess the iexplore issue is not.
  11. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    No, you don't have to worry about other MBR codes, but there is a good chance, that some infection may be still present.
    We better check.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  12. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    [removed because it was huge]
  13. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    [removed because it was huge]
  14. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Sorry, I pasted it first which was clearly a bad idea. Now the log is attached... :)

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    I can see, you ran Combofix once already:
    I'd like to see that log.

    iexplore.exe still present?
  16. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Indeed I did a few days ago - here's the log. Bear in mind I've tried a few other things since then.

    Attached Files:

  17. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    ...and yes - the iexplore issue is still present.
  18. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    Combofix log looks decent.

    Please, re-run MBRCheck and post new log.
  19. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Seems OK...

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2


    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done! Press ENTER to exit...
  20. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    OK. We have to be very careful here, when dealing with MBR, so I need more info....

    From what I can see, we have:
    - drive0: two partitions C and E (Windows XP on C partition)
    - drive1: one partition J
    - drive2: three partitions F, G and Q
    - drive3: one partition I
    Is that correct?
    All internal drives?
  21. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Correct - they're all internal drives. Your description is correct except for drive 2 also has partition H, so there are four in total there.
  22. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    OK. I missed that.
    Give me a few to give you further instructions.
  23. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 1.
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
  24. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive:
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!
    Please reboot your computer to complete the fix.

    Done! Press ENTER to exit...


    and after a reboot:

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Done! Press ENTER to exit...
  25. Broni

    Broni Malware Annihilator Posts: 46,387   +252

    Looks good :)

    Reboot.

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 2.
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.