TechSpot

Keep getting iexplore.exe in Task Manager?

By Ace2112
Jul 20, 2010
  1. I had a file called loader.exe that kept opening several instances iexplore.exe in the task manager. Loader did stay gone when I closed it via the task manager but the iexplore.exe continues to come back. I ran Spybot. It did not reveal anything nor did AVG. Eventually I got the BSOD & my system crashed. After posting it would hang on a blank screen. I had to use the Vista install disc to reboot. I ran the start up utility and it allowed me to boot. Currently iexplore.exe does not show in the task mgr. It only shows when I run Process Explorer from sysinternals. Either 2 or 3 instances are always running.

    How can I clean this up? Thanks.

    Here is my partial DDS log. It said my post was too long to add MBRCheck & RKUnhooker logs. ... I keep getting a BSOD with GMER even with IAT & Show All unchecked. So I will not be able to post that log.


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 16:49:04.98 on Tue 07/20/2010
    Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_05
    Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.1955 [GMT -5:00]

    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    svchost.exe 4
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    svchost.exe 4
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\AEADISRV.EXE
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Digidesign\Drivers\MMERefresh.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER08\MSSQL\Binn\sqlservr.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\Wacom_Tablet.exe
    C:\Program Files\_Utillities\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\Wacom_Tablet.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\_Utillities\CoreTemp32\Core Temp.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
    C:\Users\Owner\Process Explorer v11.20\procexp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Owner\Desktop\Screwed\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - g:\flashget 1.9.6 app\jccatch.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - g:\flashget 1.9.6 app\getflash.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SoundTray] c:\program files\analog devices\soundmax\SoundTray.exe
    mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
    StartupFolder: c:\users\Owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\corete~1.lnk - c:\program files\_utillities\coretemp32\Core Temp.exe
    StartupFolder: c:\users\Owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\youtub~1.lnk - c:\users\Owner\appdata\local\youtube\uploader\youtubeuploader.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\colorv~1.lnk - c:\program files\colorvision\colorvisionstartup\ColorVisionStartup.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Download All with FlashGet - g:\flashget 1.9.6 app\jc_all.htm
    IE: &Download with FlashGet - g:\flashget 1.9.6 app\jc_link.htm
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - g:\flashget 1.9.6 app\FlashGet.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: comodo.net\secure
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\_utillities\super antispyware\SASWINLO.DLL
    AppInit_DLLs: avgrsstx.dll
    STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\_utillities\super antispyware\SASSEH.DLL
    mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\Owner\appdata\roaming\mozilla\firefox\profiles\lhr643ql.default\
    FF - prefs.js: browser.startup.homepage - hxxps://encrypted.google.com
    FF - component: c:\program files\_internet apps\firefox 2.0\components\browserdirprovider.dll
    FF - component: c:\program files\_internet apps\firefox 2.0\components\brwsrcmp.dll
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
    FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
    FF - component: c:\users\Owner\appdata\roaming\mozilla\firefox\profiles\lhr643ql.default\extensions\downloadscontextmenu@bmproductions\components\contextmenu.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\np-mswmp.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\np_gp.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npdivx32.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npDivxPlayerPlugin.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npnul32.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\NPOFF12.DLL
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npOGAPlugin.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\nppdf32.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin2.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin3.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin4.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin5.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin6.dll
    FF - plugin: c:\program files\_internet apps\firefox 2.0\plugins\npqtplugin7.dll
    FF - plugin: c:\program files\av apps\divx 7\divx\divx player\npDivxPlayerPlugin.dll
    FF - plugin: c:\program files\av apps\divx 7\divx\divx web player\npdivx32.dll
    FF - plugin: c:\program files\av apps\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\av apps\vlc 1.0\vlc\npvlc.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - plugin: c:\users\Owner\appdata\local\google\update\1.2.121.17\npGoogleOneClick.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {C14983A1-7240-4183-A96A-6134FC295B3B} - c:\users\Owner\appdata\local\{C14983A1-7240-4183-A96A-6134FC295B3B}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\_internet apps\firefox 2.0\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\_internet apps\firefox 2.0\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\_internet apps\firefox 2.0\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-28 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-28 29584]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-28 243024]
    R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2008-4-4 15360]
    R1 SASDIFSV;SASDIFSV;c:\program files\_utillities\super antispyware\SASDIFSV.SYS [2008-9-3 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\_utillities\super antispyware\SASKUTIL.SYS [2008-9-3 67656]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [2009-12-13 16400]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]
    R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2007-2-10 206192]
    R2 msftesql$JCDB;SQL Server FullText Search (JCDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2006-8-28 92952]
    R2 MSOLAP$JCDB;SQL Server Analysis Services (JCDB);c:\program files\microsoft sql server\mssql.2\olap\bin\msmdsrv.exe [2007-2-10 14894960]
    R2 MSSQL$JCDB;SQL Server (JCDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
    R2 MSSQL$SQLSERVER08;SQL Server (SQLSERVER08);c:\program files\microsoft sql server\mssql10.sqlserver08\mssql\binn\sqlservr.exe [2008-7-10 40999448]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\_utillities\spybot - search & destroy\SDWinSec.exe [2008-9-23 1153368]
    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-8-5 5010288]
    S2 gupdate1c9a4e85d36b427;Google Update Service (gupdate1c9a4e85d36b427);c:\program files\google\update\GoogleUpdate.exe [2009-3-14 133104]
    S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 218136]
    S3 MSOLAP$SQLSERVER08;SQL Server Analysis Services (SQLSERVER08);c:\program files\microsoft sql server\msas10.sqlserver08\olap\bin\msmdsrv.exe [2008-7-10 21945368]
    S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-6-27 335872]
    S3 SASENUM;SASENUM;c:\program files\_utillities\super antispyware\SASENUM.SYS [2008-9-3 12872]
    S3 Spyder2;ColorVision Spyder2;c:\windows\system32\drivers\Spyder2.sys [2009-3-11 12288]
    S3 SQLAgent$JCDB;SQL Server Agent (JCDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2007-2-10 344944]
    S3 SQLAgent$SQLSERVER08;SQL Server Agent (SQLSERVER08);c:\program files\microsoft sql server\mssql10.sqlserver08\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-10-26 2799808]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
     
  2. Broni

    Broni Malware Annihilator Posts: 52,897   +344

  3. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Thanks for the help. I can't get GMER to run even with the proper settings, gives me the BSOD. Can I be helped without that log? I also have a RKUnhooker log if you want that.
    I will have to attach the info. It's too long to paste...
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  5. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Here it is. Thanks.

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\E: -> \\.\PhysicalDrive2
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\F: -> \\.\PhysicalDrive2
    \\.\G: -> \\.\PhysicalDrive3
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\H: -> \\.\PhysicalDrive1
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Unknown boot code
    465 GB \\.\PhysicalDrive2 Unknown boot code
    1397 GB \\.\PhysicalDrive3 Unknown boot code
    1863 GB \\.\PhysicalDrive1 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
  6. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    remover.exe fix \\.\PhysicalDrive2
    remover.exe fix \\.\PhysicalDrive3
    remover.exe fix \\.\PhysicalDrive1
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!
     
  7. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Here is my result...

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\E: -> \\.\PhysicalDrive2
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\F: -> \\.\PhysicalDrive2
    \\.\G: -> \\.\PhysicalDrive3
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\H: -> \\.\PhysicalDrive1
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Unknown boot code
    465 GB \\.\PhysicalDrive2 Unknown boot code
    1397 GB \\.\PhysicalDrive3 Unknown boot code
    1863 GB \\.\PhysicalDrive1 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
  8. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    How do I stop having to have my post approved before they are seen? This creates in delay in the process. Thanks for all the help.
     
  9. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You shouldn't have this problem anymore. It affects users with less than 5 posts.

    The fix didn't work for whatever reason.
    Let's try one at a time...

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.
     
  10. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Thanks for your help.
    I think that worked for PhysicalDrive0.

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 0ec6b2481fc707d1e901dc2a875f2826
    \\.\E: -> \\.\PhysicalDrive2
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\F: -> \\.\PhysicalDrive2
    \\.\G: -> \\.\PhysicalDrive3
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\H: -> \\.\PhysicalDrive1
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    465 GB \\.\PhysicalDrive2 Unknown boot code
    1397 GB \\.\PhysicalDrive3 Unknown boot code
    1863 GB \\.\PhysicalDrive1 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
  11. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Yes.
    Restart computer (important!) and...

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive2
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.
     
  12. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    I'm having the problem with my desktop comp. When I tried to reboot it threw up an error and said I had to use my Vista install disc to repair my computer. I'm this typing from my laptop. Is this normal? I assume we are going to try the script on each disk? Will I have to do this each time I reboot? I'm waiting for the OS on the disk to load.

    Thanks again for your help.
     
  13. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Do you have Vista DVD?
    What type of Windows do you have installed on other drives?
     
  14. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    I have the Vista Ultimate 32bit DVD on Drive C. It's the only OS on the comp. I went through the repair process. Everything seems to be working.

    Next step? Thanks again.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    OK. Re-run remover.exe and post fresh log.
    Is iexplore.exe gone?

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  16. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    I don't see iexplore.exe but I never know when it will appear and I can only see it using Process Explorer from Sysinternals. It does not ever show in the OS Task Mgr.

    I'll do the ComboFix now.
    Thanks

    Here is remover log.
    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 0ec6b2481fc707d1e901dc2a875f2826
    \\.\E: -> \\.\PhysicalDrive2
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\F: -> \\.\PhysicalDrive2
    \\.\G: -> \\.\PhysicalDrive3
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88
    \\.\H: -> \\.\PhysicalDrive1
    MD5: 0d2aa81fc61f2f9214afebf1c96a2f88

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    465 GB \\.\PhysicalDrive2 Unknown boot code
    1397 GB \\.\PhysicalDrive3 Unknown boot code
    1863 GB \\.\PhysicalDrive1 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...
     
  17. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    OK. Looks good :)

    I'll be getting ready for bed, so I'll check back on you tomorrow...
     
  18. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Thanks.

    Does it matter that remover listed Unknown Boot Codes on the following disk? Will that be fixed by ComboFix?

    465 GB \\.\PhysicalDrive2 Unknown boot code
    1397 GB \\.\PhysicalDrive3 Unknown boot code
    1863 GB \\.\PhysicalDrive1 Unknown boot code
     
  19. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Since there is no OS installed on those disks, there is no boot code. You're fine.
     
  20. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Thanks again. I'll report back tomorrow.
    Have a good night.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    No problem :)
     
  22. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Broni:
    I think I'm clean. Should I try any thing else?
    Do you have a paypal tip jar? You need one. Thanks for the help!
     
  23. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    You're welcome :)
    However, I won't let you go until I'm 100% sure, your computer is clean.
    I accept donations in "Thank you" notes :)

    Please, run Combofix (my reply #15).
     
  24. Ace2112

    Ace2112 TS Rookie Topic Starter Posts: 22

    Guess I for got to say, I did run it last night.
    Should I post the log?
     
  25. Broni

    Broni Malware Annihilator Posts: 52,897   +344

    Yes please.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...