TechSpot

Multiple iexplore in Task Mnager

By Hudsup
Mar 6, 2007
  1. Hi,

    A few weeks ago, I received some anti-virus notices about an update.exe trojan virus was on my machine. I tried running anti-virus protection, Ad-Aware, etc. But just over the past week, my machine has been over taken by multiple iexplore.exe processes running in my task manager. I am now unable to use IE at all, like the whole process is locked up when I launch it. In fact, I am sending this from another machine.

    I have also noticed that my Auto Protect settings in Norton AV are now 'off', and I cannot reenable it. I fear something bad has taken over my machine.


    I have followed the posting instructions, and completed the following already;

    - I have read http://www.techspot.com/vb/topic65943.html
    - I have the Viruses/Spyware/Malware, preliminary removal instructions
    - I have followed all of the preliminary removal instructions
    - I have attached logs from HijackThis and AVG Antispyware as attachments


    Thanks in advance for your help.
     
  2. tomrca

    tomrca TS Rookie Posts: 1,000

  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Command Service (cmdService)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    command.exe
    lsasss.exe<Not to be confused with lsass.exe.
    JAVASUN.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE

    O9 - Extra button: Dell Home - {A5A3EAE0-4C1E-11D4-A88D-901D4EC10171} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

    O20 - AppInit_DLLs:

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\R3JlZ29yeSBTdXBwZXM\command.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\R3JlZ29yeSBTdXBwZXM<Delete the entire folder.
    C:\WINDOWS\TEMP\IXP000.TMP<Delete the entire folder.
    C:\WINDOWS\System32\lsasss.exe<Not to be confused with lsass.exe.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let us know if you`re still having problems.

    Regards Howard :wave: :wave:

    This thread is for the use of Hudsup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. Hudsup

    Hudsup TS Rookie Topic Starter

    Hi Howard,

    Thanks for the help. I have completed the steps, and have the latest HJT log attached. The system seems to be functioning much better; I can get online withour IE locking up. You are a star.

    One remaining problem, is that I cannot renable my Norton Antivirus 2003protection. The Auto-Protect status says "Off" and the "Email Scanning" status says says "Error". When I try to renable either, the change is simply not applied.

    Thanks again.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Personally, I think you`d be better off without Norton. This is due to the fact it`s a resource hog and it`s not very good at killing viruses. However, it`s up to you.

    If you wish to keep Norton, then uninstalling and reinstalling may solve your problem.

    If you wish to take my advice, then do the following.

    Download one of the free antivirus and one of the free firewall programmes below and disconnect from the net.

    AVG free or Avast antivirus programmes.

    Zonealarm or Kerio free firewall programmes.

    Uninstall Norton from add remove programmes in your control panel. If you have any problems in completely uninstalling Norton, see this thread HERE.

    Once, Norton is fully uninstalled, reboot your computer.

    Install whichever firewall programme you chose, followed by whichever antivirus programme you chose. Reboot your system the required number of times and reconnect to the net. Run the antivirus updates.

    If you do the above, you may well see an improvement in your systems preformance.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Hudsup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Hudsup

    Hudsup TS Rookie Topic Starter

    Hi,

    Uninstalling and reinstalling Norton did the trick.

    But Norton is now reporting a new virus. It is calling out 2 files that it cannot clean: tppfaaaa.exe and ipv6motp.dll.

    Looks like a I need your excellent help again. I have a new HJT log attached.
     
  7. tomrca

    tomrca TS Rookie Posts: 1,000

    yep your pc is infected with trojans and info stealer.
    wait for howard.
    ps. get rid of norton and get an antivirus programme that will keep you pc cleaner and safer. besides it will improve its speed too
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You really need to install Windows sp1 or preferably sp2, otherwise, this is just going to keep on happening.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    oavaaaaa.exe
    sysvx.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\System32\ipv6motp.dll

    O2 - BHO: Image Helper - {646782DF-07D9-5816-C17D-32459D631863} - C:\WINDOWS\system\bpmdm32.dll

    O2 - BHO: (no name) - {7C5B9ED3-D7F6-4C77-9C93-6911D76397EF} - C:\WINDOWS\System32\chbachb.dll

    O4 - HKLM\..\Run: [oavaaaaa] C:\WINDOWS\System32\oavaaaaa.exe

    O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\System32\sysvx.exe

    O4 - HKCU\..\Run: [oavaaaaa] C:\WINDOWS\System32\oavaaaaa.exe

    O20 - Winlogon Notify: mtiuwlib - C:\WINDOWS\SYSTEM32\chbachb.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\oavaaaaa.exe
    C:\WINDOWS\System32\sysvx.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\chbachb.dll
    C:\WINDOWS\system\bpmdm32.dll
    C:\WINDOWS\System32\ipv6motp.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Hudsup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Hudsup

    Hudsup TS Rookie Topic Starter

    Hi Howard,

    I followed the latest steps and have the updated HJT log attached. Please let me know if I need to clean up anything else; and in the meantime, I am going to update to SP2 and any latest windows updates.

    Thanks again!
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    We got rid of all the nasties except for one.

    Delete the Killbox backups.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\WINDOWS\System32\chbachb.dll

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of Hudsup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Hudsup

    Hudsup TS Rookie Topic Starter

    Hi Howard,

    I followed the steps, and vundofix reported twice that it could not remove the file, but then after the third reboot the file was no longer listed in the vundofix windows.

    Latest HJT log attached.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It seems you forgot to attach your HJT log.

    Regards Howard :)

    This thread is for the use of Hudsup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Hudsup

    Hudsup TS Rookie Topic Starter

    Ugh - sorry. It is attached now.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Damn, it`s still there.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Hudsup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. Hudsup

    Hudsup TS Rookie Topic Starter

    Hi,

    I am in real trouble now. Was installing SP2 and bluescreened during the install and now I cannot boot on that machine. Just keep coming to start-up screen with options to launch in safe mode or last known configuration, and nothing works. Launch starts, aborts and comes back to same screen.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Oh dear, that`s not good.

    Try a Windows repair as per this thread HERE.

    Regards Howard :(

    This thread is for the use of Hudsup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...