Iexplore.exe processes pop up, apparent rootkit infection

Logs as requested.

iexplore processes came back even in the brief time it took to upload those logs. I did re-download all three from links on this forum, as you suggested.

I know I've said it already, but I really appreciate your help.


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:46 on 25/07/2010 by [name removed] (Administrator - Elevation successful)

========== filefind ==========

Searching for "hardlock.sys"
C:\WINDOWS\system32\drivers\hardlock.sys --a--- 693760 bytes [19:32 20/07/2008] [14:01 22/11/2006] D95554949082FD29A04D351B58396718
C:\WINDOWS\system32\Setup\aladdin\hasphl\hardlock.sys --a--- 693760 bytes [19:32 20/07/2008] [14:01 22/11/2006] D95554949082FD29A04D351B58396718

-=End Of File=-

I ran ComboFix while connected at least once before. While I do it again, here's the GMER log:

FYI I'm going to be crazy busy in the next couple of days and I don't know when I'll get to it. I still have my laptop!

Really appreciate your time and we'll hopefully be able to get this resolved when I have some time.

BTW. I noticed this line appeared in my new GMER log (when I was connected) that wasn't in the old one:


? C:\WINDOWS\System32\svchost.exe[1824] image checksum mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dll



Does this mean anything?

Also, I noticed the message about OTL. I think you asked me to download it around 6pm yesterday... does the fact that I got logs successfully mean it's OK? Or should I be worried?

Yes, it's present. I'm not using the machine until I have time to deal with this problem.

So should I run Combofix again, as you last requested, or do you have some other idea?

I've literally done nothing to the machine since we last discussed this, except for print a couple of documents. It's been turned off for all but a few minutes in the last couple weeks ;(

Alright, let's get this done!

I connected to the internet, closed all my programs other than task manager, disabled my antivirus (NOD32), then started to run ComboFix from the desktop. Almost immediately, between six and eight iexplore.exe processes appeared, then immediately disappeared (presumably because ComboFix disconnected me?). Task manager closed pretty quickly too, so I have no idea if the processes were there afterwards.

ComboFix then ran through to step 52, and rebooted the machine. After rebooting, i could hear a commercial playing while ComboFix was creating its logs. CF finished, created the log file.

I rebooted and after being connected for 30-40 seconds, a pair of iexplore.exe processes popped up. So we're right back where we were, but I have a fresh log and hopefully running ComboFix while connected did something differently.

I don't have Java installed. Due to these issues I uninstalled Java completely. Should I clean up some directory instead?

How sure are you about the router? I have a complex router setup that took me some time to configure correctly, and I don't want to have to repeat that. Basically I have a FIOS router but in order to get wireless N capability I have connected a D-Link wireless router directly to the FIOS router, which has wireless turned off. Should be straightforward but I had no end of trouble getting it to work.

Another data point is that I have multiple machines in the house: another Windows XP machine (which I'm typing on now) and a Macbook.

Do I need to be connected in order to run the ipconfig commands?

Fair enough. I'll consider resetting the router. Interestingly, I ran the ipconfig and net commands while connected, then rebooted. After connecting it took almost 10 minutes for any iexplore.exe processes to be created - much longer than usual. I wonder if I somehow resolved the issue but the router re-infected me.

One interesting thing I just thought of is that the other machines connect wirelessly, whereas the desktop in question is the only thing connecting directly via ethernet cable. Gonna try a couple more things before I reboot the router...