also @ TechSpot: Building a Thin Mini-ITX PC: Small and Silent Performance

Iexplore.exe processes pop up, apparent rootkit infection

Discussion in 'Virus and Malware Removal' started by DoktrMik, Jul 24, 2010.

Page 2 of 7

  1. DoktrMik Newcomer, in training Posts: 68

    Correct - they're all internal drives. Your description is correct except for drive 2 also has partition H, so there are four in total there.
    DoktrMik, Jul 25, 2010
    #21

  2. Broni Malware Annihilator Posts: 39,313   +175

    OK. I missed that.
    Give me a few to give you further instructions.
    Broni, Jul 25, 2010
    #22

  3. Broni Malware Annihilator Posts: 39,313   +175

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 1.
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
    Broni, Jul 25, 2010
    #23

  4. DoktrMik Newcomer, in training Posts: 68

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive:
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!
    Please reboot your computer to complete the fix.

    Done! Press ENTER to exit...


    and after a reboot:

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Done! Press ENTER to exit...
    DoktrMik, Jul 25, 2010
    #24

  5. Broni Malware Annihilator Posts: 39,313   +175

    Looks good :)

    Reboot.

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 2.
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
    Broni, Jul 25, 2010
    #25

  6. DoktrMik Newcomer, in training Posts: 68

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive:

    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

    Please reboot your computer to complete the fix.
    Done! Press ENTER to exit...



    And after a reboot...


    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done! Press ENTER to exit...



    Y'know, I have a feeling I know what you're going to suggest next... :)
    DoktrMik, Jul 25, 2010
    #26
     

  7. Broni Malware Annihilator Posts: 39,313   +175

    Haha...LOL

    Restart computer (important!)

    Rerun MBRCheck.
    Enter 'Y' and hit ENTER for more options and select option "2".
    When asked for physical disk number, enter 3.
    Next, enter 1 (Windows XP) for MBR code.
    Post resulting log.
    Broni, Jul 25, 2010
    #27

  8. DoktrMik Newcomer, in training Posts: 68

    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive:
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

    Please reboot your computer to complete the fix.


    ...and after a reboot we're all green:


    MBRCheck, version 1.1.1
    (c) 2010, AD

    \\.\C: --> \\.\PhysicalDrive0
    \\.\E: --> \\.\PhysicalDrive0
    \\.\F: --> \\.\PhysicalDrive2
    \\.\G: --> \\.\PhysicalDrive2
    \\.\H: --> \\.\PhysicalDrive2
    \\.\I: --> \\.\PhysicalDrive3
    \\.\J: --> \\.\PhysicalDrive1
    \\.\Q: --> \\.\PhysicalDrive2

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    111 GB \\.\PhysicalDrive3 Windows XP MBR code detected
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

    Done! Press ENTER to exit...



    Done! Press ENTER to exit...
    DoktrMik, Jul 25, 2010
    #28

  9. DoktrMik Newcomer, in training Posts: 68

    ...and yes, before you ask. The iexplore.exe processes are still popping up. I just have to connect to the web and wait for 30 seconds and there they are.
    DoktrMik, Jul 25, 2010
    #29

  10. Broni Malware Annihilator Posts: 39,313   +175

    Did you reboot?
    Broni, Jul 25, 2010
    #30

  11. DoktrMik Newcomer, in training Posts: 68

    Hmmm...I rebooted after making the change (to produce the second log in my last message) but hadn't rebooted again. I did so and now don't see the iexplore processes after a few minutes of browsing the web. I'm not *completely* confident they're gone, but I'm starting to feel a bit of optimism :)

    Should I run some other malware removers (like MBAM again) to ensure everything is OK? I noticed that there was some network activity even though I'd closed all applications. Not a lot (few kB/sec) which could be automatic updaters or the like, but I'm concerned that there's still something lurking on there. I got the virus almost a week ago so I'm still pretty paranoid.
    DoktrMik, Jul 25, 2010
    #31

  12. Broni Malware Annihilator Posts: 39,313   +175

    Yeah, we just took care (hopefully :)) of the main culprit.
    More scans to come...

    Update MBAM. Give me fresh log from "Quick scan".

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
    Broni, Jul 25, 2010
    #32

  13. DoktrMik Newcomer, in training Posts: 68

    MBAM was updated and didn't turn up anything...

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4347

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/25/2010 6:05:02 PM
    mbam-log-2010-07-25 (18-05-02).txt

    Scan type: Quick scan
    Objects scanned: 178090
    Time elapsed: 5 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    ComboFix.txt is attached.

    Attached Files:

    DoktrMik, Jul 25, 2010
    #33

  14. Broni Malware Annihilator Posts: 39,313   +175

    Combofix looks good too :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
    Broni, Jul 25, 2010
    #34

  15. DoktrMik Newcomer, in training Posts: 68

    Things were too long to paste so I've attached the files. Hope that's OK.

    Thx!

    Attached Files:

    DoktrMik, Jul 25, 2010
    #35

  16. Broni Malware Annihilator Posts: 39,313   +175

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2010/07/25 18:33:50 | 000,000,000 | --SD | C] -- C:\ComboFix
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    Broni, Jul 25, 2010
    #36

  17. DoktrMik Newcomer, in training Posts: 68

    I went to update the Java install and clicked on the verify link, to which it said there was a problem. I wasn't too surprised since I uninstalled Java a few days ago to ensure it wasn't contributing to the problem.

    I then went to download the full installer for the latest java package. While it was downloading I noticed two iexplore.exe processes pop up. I completed the download but disconnected the machine and killed the iexplore processes.

    ...looks like the problem may not have gone away?
    DoktrMik, Jul 25, 2010
    #37

  18. Broni Malware Annihilator Posts: 39,313   +175

    Now wait, were you using IE at that moment?
    Broni, Jul 25, 2010
    #38

  19. DoktrMik Newcomer, in training Posts: 68

    No, I don't use IE at all. I use Firefox only.

    I'm pretty sure this was a problem because when I killed the iexplore process another popped up to take it's place immediately. Only when I disconnected and killed the remaining ones did they go away for good.
    DoktrMik, Jul 25, 2010
    #39

  20. Broni Malware Annihilator Posts: 39,313   +175

    Apparently, something must be hiding somewhere.

    Please, delete your MBRCheck file, download fresh one and post new log.
    Do the very same with GMER and Combofix.
    Broni, Jul 25, 2010
    #40
Page 2 of 7
Topic Status:
Not open for further replies.

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.