Inactive Iexplore.exe processes pop up, apparent rootkit infection

[DoktrMik]

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.
Done! Press ENTER to exit...



And after a reboot...


MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done! Press ENTER to exit...



Y'know, I have a feeling I know what you're going to suggest next...

 

[Broni]

Haha...LOL

Restart computer (important!)

Rerun MBRCheck.
Enter 'Y' and hit ENTER for more options and select option "2".
When asked for physical disk number, enter 3.
Next, enter 1 (Windows XP) for MBR code.
Post resulting log.

 

[DoktrMik]

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.


...and after a reboot we're all green:


MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Windows XP MBR code detected
111 GB \\.\PhysicalDrive3 Windows XP MBR code detected
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

Done! Press ENTER to exit...



Done! Press ENTER to exit...

 

[DoktrMik]

...and yes, before you ask. The iexplore.exe processes are still popping up. I just have to connect to the web and wait for 30 seconds and there they are.

 

[Broni]

Did you reboot?

 

[DoktrMik]

Hmmm...I rebooted after making the change (to produce the second log in my last message) but hadn't rebooted again. I did so and now don't see the iexplore processes after a few minutes of browsing the web. I'm not *completely* confident they're gone, but I'm starting to feel a bit of optimism

Should I run some other malware removers (like MBAM again) to ensure everything is OK? I noticed that there was some network activity even though I'd closed all applications. Not a lot (few kB/sec) which could be automatic updaters or the like, but I'm concerned that there's still something lurking on there. I got the virus almost a week ago so I'm still pretty paranoid.

 

[Broni]

Yeah, we just took care (hopefully ) of the main culprit.
More scans to come...

Update MBAM. Give me fresh log from "Quick scan".

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[DoktrMik]

MBAM was updated and didn't turn up anything...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4347

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/25/2010 6:05:02 PM
mbam-log-2010-07-25 (18-05-02).txt

Scan type: Quick scan
Objects scanned: 178090
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix.txt is attached.

 

[Broni]

Combofix looks good too

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[DoktrMik]

Things were too long to paste so I've attached the files. Hope that's OK.

Thx!

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
  [7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [2010/07/25 18:33:50 | 000,000,000 | --SD | C] -- C:\ComboFix
  @Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:888AFB86
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

 

[DoktrMik]

I went to update the Java install and clicked on the verify link, to which it said there was a problem. I wasn't too surprised since I uninstalled Java a few days ago to ensure it wasn't contributing to the problem.

I then went to download the full installer for the latest java package. While it was downloading I noticed two iexplore.exe processes pop up. I completed the download but disconnected the machine and killed the iexplore processes.

...looks like the problem may not have gone away?

 

[Broni]

Now wait, were you using IE at that moment?

 

[DoktrMik]

No, I don't use IE at all. I use Firefox only.

I'm pretty sure this was a problem because when I killed the iexplore process another popped up to take it's place immediately. Only when I disconnected and killed the remaining ones did they go away for good.

 

[Broni]

Apparently, something must be hiding somewhere.

Please, delete your MBRCheck file, download fresh one and post new log.
Do the very same with GMER and Combofix.

 

[DoktrMik]

Logs as requested.

 

[DoktrMik]

iexplore processes came back even in the brief time it took to upload those logs. I did re-download all three from links on this forum, as you suggested.

 

[Broni]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  hardlock.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=======================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\REND.tmp


Driver::
ALSysIO


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"3724:TCP"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[DoktrMik]

I know I've said it already, but I really appreciate your help.


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:46 on 25/07/2010 by [name removed] (Administrator - Elevation successful)

========== filefind ==========

Searching for "hardlock.sys"
C:\WINDOWS\system32\drivers\hardlock.sys --a--- 693760 bytes [19:32 20/07/2008] [14:01 22/11/2006] D95554949082FD29A04D351B58396718
C:\WINDOWS\system32\Setup\aladdin\hasphl\hardlock.sys --a--- 693760 bytes [19:32 20/07/2008] [14:01 22/11/2006] D95554949082FD29A04D351B58396718

-=End Of File=-

 

[Broni]

You're very welcome

Now...
I want you to reconnect your computer to the internet and keep it that way.
I suspect, that we can't eradicate the culprit, because it seems to be alive only when you're connected.
I don't think, we can make things any worse.
While connected, re-run GMER and Combofix, post fresh logs.
If Combofix will want to update itself, make sure to allow it.

 

[DoktrMik]

I ran ComboFix while connected at least once before. While I do it again, here's the GMER log:

 

[Broni]

OK. I'll wait for Combo.

 

[DoktrMik]

FYI I'm going to be crazy busy in the next couple of days and I don't know when I'll get to it. I still have my laptop!

Really appreciate your time and we'll hopefully be able to get this resolved when I have some time.

BTW. I noticed this line appeared in my new GMER log (when I was connected) that wasn't in the old one:


? C:\WINDOWS\System32\svchost.exe[1824] image checksum mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll



Does this mean anything?

 

[DoktrMik]

Also, I noticed the message about OTL. I think you asked me to download it around 6pm yesterday... does the fact that I got logs successfully mean it's OK? Or should I be worried?

 

[Broni]

Does this mean anything?

That's fine...

That OTL issue started probably couple of hours later, but I wanted to be safe, so I put 6PM there.

If OTL ran fine, you're OK. Infected file was installing Security Tool malware.

Is iexplore.exe issue still present?