TechSpot

Iexplore.exe virus and possibly more, 8 step process done

By haveuread
Jul 17, 2010
  1. Hi. The iexplore.exe keeps starting up in my processes and when i end it, it just restarts. There's the constant clicking sound of internet explorer in the background when i'm not even running it. From time to time the volume would be set to 0 as well. I can tell it's like a virus because there's occasional internet explorer pop ups and sometimes invisible audio ads. I've tried so many things to solve the issue but to no avail. I was hoping that someone here would help me resolve the issue because I saw a thread with a similar issue and it was resolved.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Is there any reason, why DDS was run from Safe Mode?
     
  3. haveuread

    haveuread TS Rookie Topic Starter

    no reason. I just had my computer running in safe mode at that time and I had it run. Should I rerun it normally?
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Yes, please repost DDS logs from normal mode.

    When done...

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  5. haveuread

    haveuread TS Rookie Topic Starter

    i have run the dds in normal mode.
    And the following is from the MBRCheck:
    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0

    \\.\D: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





    Found non-standard or infected MBR.

    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:

    [1] Dump the MBR of a physical disk to file.

    [2] Restore the MBR of a physical disk with a standard boot code.

    [3] Exit.



    Enter your choice:
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It's not clear to me...is Ahnlab V3 Internet Security, what you use as security program?

    Then...

    Rerun MBRCheck and select option "2".
    When asked for physical disk number, enter "0" (zero).
    Post resulting log and restart computer.
     
  7. haveuread

    haveuread TS Rookie Topic Starter

    the V3 is the internet security. i'm not sure if it is any good but thats what I have on this computer.

    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0

    \\.\D: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





    Found non-standard or infected MBR.

    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:

    [1] Dump the MBR of a physical disk to file.

    [2] Restore the MBR of a physical disk with a standard boot code.

    [3] Exit.



    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows XP)

    [ 1] Windows XP

    [ 2] Windows Server 2003

    [ 3] Windows Vista

    [ 4] Windows 2008

    [ 5] Windows 7

    [-1] Cancel



    Please select the MBR code to write to this drive:
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please, redo.
    You have to select option 2, then enter 0 (zero) for disk number and again 0 (zero) for MBR code.
     
  9. haveuread

    haveuread TS Rookie Topic Starter

    Yea. I figured I had to do that but didn't want to mess up anything.


    MBRCheck, version 1.1.1

    (c) 2010, AD



    \\.\C: --> \\.\PhysicalDrive0

    \\.\D: --> \\.\PhysicalDrive0



    Size Device Name MBR Status

    --------------------------------------------

    149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





    Found non-standard or infected MBR.

    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Options:

    [1] Dump the MBR of a physical disk to file.

    [2] Restore the MBR of a physical disk with a standard boot code.

    [3] Exit.



    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

    [ 0] Default (Windows XP)

    [ 1] Windows XP

    [ 2] Windows Server 2003

    [ 3] Windows Vista

    [ 4] Windows 2008

    [ 5] Windows 7

    [-1] Cancel



    Please select the MBR code to write to this drive:

    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

    Please reboot your computer to complete the fix.





    Done! Press ENTER to exit...


    Also on a side note, I have disconnected the infected computer from the internet and am using a netbook and flash drive for this. I noticed that if I restarted my infected computer with disabled internet the iexplore.exe would not start up but later found out that it would start up again if I enabled and ran some applications that needed the internet.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Very smart :)

    The log looks good.
    Turn the computer off, reconnect it to the internet and restart.
    Check for the issues.

    I'll be getting ready for bed, so I'll check on you tomorrow morning.
    If issues are resolved, don't leave this topic.
    We'll have to do more checking...:)
     
  11. haveuread

    haveuread TS Rookie Topic Starter

    thank you very much for your help.
    will check back tomorrow.
    thanks once again
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Let me know, how the issues are.
     
  13. haveuread

    haveuread TS Rookie Topic Starter

    so far so good. the iexplore.exe is not starting up by itself. I don't hear any clicking noises and my volume remains unchanged.
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Nice :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  15. haveuread

    haveuread TS Rookie Topic Starter

    here are the results
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I strongly recommend, you uninstall Uniblue RegistryBooster. Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

    Combofix log looks clean :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =======================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  17. haveuread

    haveuread TS Rookie Topic Starter

    the txt was too long so i will attach them
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    =================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\dell\LOCALS~1\Temp\catchme.sys -- (catchme)
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      [2010/07/16 02:11:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dell\Application Data\Uniblue
      [2010/06/26 09:43:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\dell\Local Settings\Application Data\fjaqvdrxt
      @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
      
      :Services
      
      :Reg
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  19. haveuread

    haveuread TS Rookie Topic Starter

    the first one is from the fix
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  21. haveuread

    haveuread TS Rookie Topic Starter

    my computer keeps freezing during the scan. don't noe wat to do
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    TFC, or Kaspersky?
     
  23. haveuread

    haveuread TS Rookie Topic Starter

    kaspersky. i updated the scanner and then i made it scan my computer. it was taking a long time and around 17% of completion my computer froze
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • IMOPRTANT! UN-check Remove found threats
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
     
  25. haveuread

    haveuread TS Rookie Topic Starter

    it seems that the scanner gets stuck at a certain point. like first it was a random word file that I had in My Documents. I got rid of that file and started the scan again. Then it got stuck on the plugin-container.exe file as it was scanning.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...