Iexplore.exe processes pop up, apparent rootkit infection

Inactive
By DoktrMik
Jul 24, 2010
Topic Status:
Not open for further replies.
  1. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive:

    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

    Please reboot your computer to complete the fix.
    Done! Press ENTER to exit...



    And after a reboot...


    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done! Press ENTER to exit...



    Y'know, I have a feeling I know what you're going to suggest next... :)
  2. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Haha...LOL

    Restart computer (important!)

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 3.
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
  3. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive:
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

    Please reboot your computer to complete the fix.


    ...and after a reboot we're all green:


    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    111 GB \\.\PhysicalDrive3 Windows XP MBR code detected
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Done! Press ENTER to exit...



    Done! Press ENTER to exit...
  4. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    ...and yes, before you ask. The iexplore.exe processes are still popping up. I just have to connect to the web and wait for 30 seconds and there they are.
  5. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Did you reboot?
  6. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Hmmm...I rebooted after making the change (to produce the second log in my last message) but hadn't rebooted again. I did so and now don't see the iexplore processes after a few minutes of browsing the web. I'm not *completely* confident they're gone, but I'm starting to feel a bit of optimism :)

    Should I run some other malware removers (like MBAM again) to ensure everything is OK? I noticed that there was some network activity even though I'd closed all applications. Not a lot (few kB/sec) which could be automatic updaters or the like, but I'm concerned that there's still something lurking on there. I got the virus almost a week ago so I'm still pretty paranoid.
  7. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Yeah, we just took care (hopefully :)) of the main culprit.
    More scans to come...

    Update MBAM. Give me fresh log from "Quick scan".

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    MBAM was updated and didn't turn up anything...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4347

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/25/2010 6:05:02 PM
    mbam-log-2010-07-25 (18-05-02).txt

    Scan type: Quick scan
    Objects scanned: 178090
    Time elapsed: 5 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    ComboFix.txt is attached.

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Combofix looks good too :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  10. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Things were too long to paste so I've attached the files. Hope that's OK.

    Thx!

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
      [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
      [2010/07/25 18:33:50 | 000,000,000 | --SD | C] -- C:\ComboFix
      @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
     
  12. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    I went to update the Java install and clicked on the verify link, to which it said there was a problem. I wasn't too surprised since I uninstalled Java a few days ago to ensure it wasn't contributing to the problem.

    I then went to download the full installer for the latest java package. While it was downloading I noticed two iexplore.exe processes pop up. I completed the download but disconnected the machine and killed the iexplore processes.

    ...looks like the problem may not have gone away?
  13. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Now wait, were you using IE at that moment?
  14. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    No, I don't use IE at all. I use Firefox only.

    I'm pretty sure this was a problem because when I killed the iexplore process another popped up to take it's place immediately. Only when I disconnected and killed the remaining ones did they go away for good.
  15. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Apparently, something must be hiding somewhere.

    Please, delete your MBRCheck file, download fresh one and post new log.
    Do the very same with GMER and Combofix.
  16. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Logs as requested.

    Attached Files:

  17. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    iexplore processes came back even in the brief time it took to upload those logs. I did re-download all three from links on this forum, as you suggested.
  18. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      hardlock.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    =======================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\REND.tmp
    
    
    Driver::
    ALSysIO
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-
    "3724:TCP"=-
    
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    
    
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  19. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    I know I've said it already, but I really appreciate your help.


    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 22:46 on 25/07/2010 by [name removed] (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "hardlock.sys"
    C:\WINDOWS\system32\drivers\hardlock.sys --a--- 693760 bytes [19:32 20/07/2008] [14:01 22/11/2006] D95554949082FD29A04D351B58396718
    C:\WINDOWS\system32\Setup\aladdin\hasphl\hardlock.sys --a--- 693760 bytes [19:32 20/07/2008] [14:01 22/11/2006] D95554949082FD29A04D351B58396718

    -=End Of File=-

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    You're very welcome :)

    Now...
    I want you to reconnect your computer to the internet and keep it that way.
    I suspect, that we can't eradicate the culprit, because it seems to be alive only when you're connected.
    I don't think, we can make things any worse.
    While connected, re-run GMER and Combofix, post fresh logs.
    If Combofix will want to update itself, make sure to allow it.
  21. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    I ran ComboFix while connected at least once before. While I do it again, here's the GMER log:

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    OK. I'll wait for Combo.
  23. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    FYI I'm going to be crazy busy in the next couple of days and I don't know when I'll get to it. I still have my laptop!

    Really appreciate your time and we'll hopefully be able to get this resolved when I have some time.

    BTW. I noticed this line appeared in my new GMER log (when I was connected) that wasn't in the old one:


    ? C:\WINDOWS\System32\svchost.exe[1824] image checksum mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll



    Does this mean anything?
  24. DoktrMik

    DoktrMik Newcomer, in training Topic Starter Posts: 68

    Also, I noticed the message about OTL. I think you asked me to download it around 6pm yesterday... does the fact that I got logs successfully mean it's OK? Or should I be worried? :(
  25. Broni

    Broni Malware Annihilator Posts: 46,127   +251

    That's fine...

    That OTL issue started probably couple of hours later, but I wanted to be safe, so I put 6PM there.

    If OTL ran fine, you're OK. Infected file was installing Security Tool malware.

    Is iexplore.exe issue still present?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.