Solved Keep getting iexplore.exe in Task Manager?

[Ace2112]

I had a file called loader.exe that kept opening several instances iexplore.exe in the task manager. Loader did stay gone when I closed it via the task manager but the iexplore.exe continues to come back. I ran Spybot. It did not reveal anything nor did AVG. Eventually I got the BSOD & my system crashed. After posting it would hang on a blank screen. I had to use the Vista install disc to reboot. I ran the start up utility and it allowed me to boot. Currently iexplore.exe does not show in the task mgr. It only shows when I run Process Explorer from sysinternals. Either 2 or 3 instances are always running.

How can I clean this up? Thanks.

Here is my partial DDS log. It said my post was too long to add MBRCheck & RKUnhooker logs. ... I keep getting a BSOD with GMER even with IAT & Show All unchecked. So I will not be able to post that log.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 16:49:04.98 on Tue 07/20/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_05
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.1955 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe 4
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
svchost.exe 4
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER08\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\_Utillities\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\_Utillities\CoreTemp32\Core Temp.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Users\Owner\Process Explorer v11.20\procexp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Owner\Desktop\Screwed\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - g:\flashget 1.9.6 app\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - g:\flashget 1.9.6 app\getflash.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundTray] c:\program files\analog devices\soundmax\SoundTray.exe
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
StartupFolder: c:\users\Owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\corete~1.lnk - c:\program files\_utillities\coretemp32\Core Temp.exe
StartupFolder: c:\users\Owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\youtub~1.lnk - c:\users\Owner\appdata\local\youtube\uploader\youtubeuploader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\colorvisionstartup\ColorVisionStartup.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - g:\flashget 1.9.6 app\jc_all.htm
IE: &Download with FlashGet - g:\flashget 1.9.6 app\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\flashget 1.9.6 app\FlashGet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: comodo.net\secure
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\_utillities\super antispyware\SASWINLO.DLL
AppInit_DLLs: avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\_utillities\super antispyware\SASSEH.DLL
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\Owner\appdata\roaming\mozilla\firefox\profiles\lhr643ql.default\
FF - prefs.js: browser.startup.homepage - hxxps://encrypted.google.com
FF - component: c:\program files\_internet apps\firefox 2.0\components\browserdirprovider.dll
FF - component: c:\program files\_internet apps\firefox 2.0\components\brwsrcmp.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - component: c:\users\Owner\appdata\roaming\mozilla\firefox\profiles\lhr643ql.default\extensions\downloadscontextmenu@bmproductions\components\contextmenu.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\np-mswmp.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\np_gp.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npdivx32.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npnul32.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\NPOFF12.DLL
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\nppdf32.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin2.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin3.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin4.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin5.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin6.dll
FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin7.dll
FF - plugin: c:\program files\av apps\divx 7\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\av apps\divx 7\divx\divx web player\npdivx32.dll
FF - plugin: c:\program files\av apps\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\av apps\vlc 1.0\vlc\npvlc.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\users\Owner\appdata\local\google\update\1.2.121.17\npGoogleOneClick.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {C14983A1-7240-4183-A96A-6134FC295B3B} - c:\users\Owner\appdata\local\{C14983A1-7240-4183-A96A-6134FC295B3B}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\_internet apps\firefox 2.0\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\_internet apps\firefox 2.0\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-28 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-28 243024]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-4-4 15360]
R1 SASDIFSV;SASDIFSV;c:\program files\_utillities\super antispyware\SASDIFSV.SYS [2008-9-3 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\_utillities\super antispyware\SASKUTIL.SYS [2008-9-3 67656]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-12-13 16400]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-2-10 206192]
R2 msftesql$JCDB;SQL Server FullText Search (JCDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2006-8-28 92952]
R2 MSOLAP$JCDB;SQL Server Analysis Services (JCDB);c:\program files\microsoft sql server\mssql.2\olap\bin\msmdsrv.exe [2007-2-10 14894960]
R2 MSSQL$JCDB;SQL Server (JCDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 MSSQL$SQLSERVER08;SQL Server (SQLSERVER08);c:\program files\microsoft sql server\mssql10.sqlserver08\mssql\binn\sqlservr.exe [2008-7-10 40999448]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\_utillities\spybot - search & destroy\SDWinSec.exe [2008-9-23 1153368]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-8-5 5010288]
S2 gupdate1c9a4e85d36b427;Google Update Service (gupdate1c9a4e85d36b427);c:\program files\google\update\GoogleUpdate.exe [2009-3-14 133104]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
S3 MSOLAP$SQLSERVER08;SQL Server Analysis Services (SQLSERVER08);c:\program files\microsoft sql server\msas10.sqlserver08\olap\bin\msmdsrv.exe [2008-7-10 21945368]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
S3 SASENUM;SASENUM;c:\program files\_utillities\super antispyware\SASENUM.SYS [2008-9-3 12872]
S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2009-3-11 12288]
S3 SQLAgent$JCDB;SQL Server Agent (JCDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2007-2-10 344944]
S3 SQLAgent$SQLSERVER08;SQL Server Agent (SQLSERVER08);c:\program files\microsoft sql server\mssql10.sqlserver08\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-10-26 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[Ace2112]

Thanks for the help. I can't get GMER to run even with the proper settings, gives me the BSOD. Can I be helped without that log? I also have a RKUnhooker log if you want that.
I will have to attach the info. It's too long to paste...

 

[Broni]

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[Ace2112]

Here it is. Thanks.

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\E: -> \\.\PhysicalDrive2
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\F: -> \\.\PhysicalDrive2
\\.\G: -> \\.\PhysicalDrive3
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\H: -> \\.\PhysicalDrive1
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown boot code
465 GB \\.\PhysicalDrive2 Unknown boot code
1397 GB \\.\PhysicalDrive3 Unknown boot code
1863 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

 

[Broni]

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START 
remover.exe fix \\.\PhysicalDrive0
remover.exe fix \\.\PhysicalDrive2
remover.exe fix \\.\PhysicalDrive3
remover.exe fix \\.\PhysicalDrive1
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

Do NOT reboot computer!

 

[Ace2112]

Here is my result...

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\E: -> \\.\PhysicalDrive2
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\F: -> \\.\PhysicalDrive2
\\.\G: -> \\.\PhysicalDrive3
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\H: -> \\.\PhysicalDrive1
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown boot code
465 GB \\.\PhysicalDrive2 Unknown boot code
1397 GB \\.\PhysicalDrive3 Unknown boot code
1863 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

 

[Ace2112]

How do I stop having to have my post approved before they are seen? This creates in delay in the process. Thanks for all the help.

 

[Broni]

How do I stop having to have my post approved before they are seen?

You shouldn't have this problem anymore. It affects users with less than 5 posts.

The fix didn't work for whatever reason.
Let's try one at a time...

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START 
remover.exe fix \\.\PhysicalDrive0
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

 

[Ace2112]

Thanks for your help.
I think that worked for PhysicalDrive0.

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 0ec6b2481fc707d1e901dc2a875f2826
\\.\E: -> \\.\PhysicalDrive2
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\F: -> \\.\PhysicalDrive2
\\.\G: -> \\.\PhysicalDrive3
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\H: -> \\.\PhysicalDrive1
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
465 GB \\.\PhysicalDrive2 Unknown boot code
1397 GB \\.\PhysicalDrive3 Unknown boot code
1863 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

 

[Broni]

Yes.
Restart computer (important!) and...

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START 
remover.exe fix \\.\PhysicalDrive2
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

 

[Ace2112]

I'm having the problem with my desktop comp. When I tried to reboot it threw up an error and said I had to use my Vista install disc to repair my computer. I'm this typing from my laptop. Is this normal? I assume we are going to try the script on each disk? Will I have to do this each time I reboot? I'm waiting for the OS on the disk to load.

Thanks again for your help.

 

[Broni]

Do you have Vista DVD?
What type of Windows do you have installed on other drives?

 

[Ace2112]

I have the Vista Ultimate 32bit DVD on Drive C. It's the only OS on the comp. I went through the repair process. Everything seems to be working.

Next step? Thanks again.

 

[Broni]

OK. Re-run remover.exe and post fresh log.
Is iexplore.exe gone?

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Ace2112]

I don't see iexplore.exe but I never know when it will appear and I can only see it using Process Explorer from Sysinternals. It does not ever show in the OS Task Mgr.

I'll do the ComboFix now.
Thanks

Here is remover log.
Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 0ec6b2481fc707d1e901dc2a875f2826
\\.\E: -> \\.\PhysicalDrive2
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\F: -> \\.\PhysicalDrive2
\\.\G: -> \\.\PhysicalDrive3
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
\\.\H: -> \\.\PhysicalDrive1
MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
465 GB \\.\PhysicalDrive2 Unknown boot code
1397 GB \\.\PhysicalDrive3 Unknown boot code
1863 GB \\.\PhysicalDrive1 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

 

[Broni]

OK. Looks good

I'll be getting ready for bed, so I'll check back on you tomorrow...

 

[Ace2112]

Thanks.

Does it matter that remover listed Unknown Boot Codes on the following disk? Will that be fixed by ComboFix?

465 GB \\.\PhysicalDrive2 Unknown boot code
1397 GB \\.\PhysicalDrive3 Unknown boot code
1863 GB \\.\PhysicalDrive1 Unknown boot code

 

[Broni]

Since there is no OS installed on those disks, there is no boot code. You're fine.

 

[Ace2112]

Thanks again. I'll report back tomorrow.
Have a good night.

 

[Broni]

No problem

 

[Ace2112]

Broni:
I think I'm clean. Should I try any thing else?
Do you have a paypal tip jar? You need one. Thanks for the help!

 

[Broni]

You're welcome
However, I won't let you go until I'm 100% sure, your computer is clean.
I accept donations in "Thank you" notes

Please, run Combofix (my reply #15).

 

[Ace2112]

Guess I for got to say, I did run it last night.
Should I post the log?

 

[Broni]

Yes please.