TechSpot

Multiple instances of iexplorer and redirecting while clicking on links

By VMurali
Apr 29, 2010
  1. There are multiple instances of iexplore.exe in my task manager and whenever I click on the search links from google it is redirecting me to random site. Clicking back button couple of times brings back the original page. Can someone please help. Do I have to run Hijack this or do I have to follow that 8 steps before posting ?. I'm new to this forum.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, VMural. I'll help with the malware.

    First, if you have IE8, it is normal to see multiple processes for iexplore.exe running.

    We have preliminary steps we'd like you to follow, then leave the logs for us to review. You will find the steps, the links and the directions HERE.

    Please do not run any other cleaning program or scan while I am heloing you, unless I ask you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. VMurali

    VMurali TS Rookie Topic Starter

    Attaching the logs as mentioned in the thread. Please advice on how to proceed. Thank you very much for looking in to this.

    Murali
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're running 3 antivirus programs: a-squared, Avira and BitDefender Please remove 2 of them.
    ========================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ====================
    Please download HijackThis from here.


    • Save it to a permanent folder (such as C:\HJT).
    • Next, open HijackThis, and select Do a system scan and save a logfile.
    • A Notepad document will open. Please paste the log in the next reply.
     
  5. VMurali

    VMurali TS Rookie Topic Starter

    Hi,
    Attaching the Cobofix log and floowing is the hijackthis log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:28:12 PM, on 5/2/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.30/uploader2.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://preview.evite.com/js/ImageUploader5.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - http://75.17.247.79/img/LinksysViewer.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://remoteoffice.genworth.com/dana-cached/setup/JuniperSetupSP1.cab
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://remoteoffice.genworth.com/dana-cached/sc/JuniperSetupClient.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 6212 bytes
     

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this first:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:

    Code:
    File::
    c:\windows\system32\DRIVERS\motccgp.sys 
    c:\windows\system32\DRIVERS\motccgpfl.sys
    c:\windows\system32\DRIVERS\motport.sys
    C:\trjsetup681.exe
    C:\OriginalReg.reg
    c:\windows\system32\rezumatenoi.dat
    c:\documents and settings\NewName
    
    Folder::
    C:\pcwords2.dat
    C:\pcwords.dat
    c:\documents and settings\All Users\Application Data\TEMP
    C:\Cache
    C:\spoolerlogs
     
    Registry::
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    [HKEY_USERS\.Default\Software\SetID\Internal]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{76c81ddb-435c-4a1c-ba3e-4e96c1ecba76}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    
    Driver::
    motccgp
    motccgpfl
    motport
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Then to make sure all Rootkit entries were found and removed:

    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    • This will have the program write a detailed log
    • The screen will resemble this black screen:
    [​IMG]
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • You should get a screen like this:
    [​IMG]
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.

    Please post both logs in next reply.
     
  7. VMurali

    VMurali TS Rookie Topic Starter

    Hi,
    Attaching the Combofix.txt and report.txt.
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Which antivirus program did you keep? Did you remember to enable it again after running Combofix?

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\scsichk.sys
    c:\program files\peerblock\pbfilter.sys
    c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    c:\windows\system32\DRIVERS\motport.sys
    
    Folder::
    
    Registry::
    
    Driver::
    trrxtiav
    scsichk
    pbfilter
    GoogleDesktopManager-093007-112848
    motport
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Then run this online scan: Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Follow with new scan with HijackThis. If all are okay and the problems have resolved, I'll have you remove the cleaning tools and old restore points.

    Please leave all logs.
     
  9. VMurali

    VMurali TS Rookie Topic Starter

    Sorry, the antivirus pgm was not running at that time. I have installed Avast and it is running now. Attaching the logs.

    Thank You.
     

    Attached Files:

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You need to get the antivirus protection cleared up. You should only run one antivirus program. Bit Defender AV has been on the system all along. If it is current and working with updating, you don't need another antivirus. A firewall would be good, but not another AV! There are 3 on the system previously: a-squared, Avira and BitDefender. Now you have Avast and Bit Defender. Please get it down to only one current, updating antivirus program. I asked "Which antivirus program did you keep?" so that if I saw entries remaining from the other programs, I could have you remove them.

    I checked the HijackThis log and found entries for McAfee and Avast. Combofix shows BitDefender and Avast.
    I see the Java updater and the Java QuickStart Service, but I don see Java running. I'm going to have you remove the cleaning tools and then suggest some maintenance.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    ===================================
    It would be helpful to your system to do the following:
    • Disc Cleanup
    • Error Checking
    • Defrag
    Access all > My Computer> Right click on Local Drive (C)> Properties> in this order

    • [1] Click on Disc Cleanup
      [2] Then Tools Error Check> check both boxes on screen that comes up> OK> Reboot and let complete.
      [3] Then Tools> Defrag.

    Empty the Recycle Bin
     
  11. VMurali

    VMurali TS Rookie Topic Starter

    Hi Bobbye,
    Once again thank you very much for your time on resolving my issue. You guys are doing a great job. If not for you guys I would have formatted my hard drive. One last thing, even though I removed bit defender and McAfee (thru Add remove pgms) it still shows up(from your previous post). Is there a way to remove them permanently ?

    Also, please let me know if I could of be any help in this forum ( going thru logs or something, of course I need some guidance from you guys :)

    -Murali
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Glad to help.
    You might want to just follow the logs and the programs that are used. Malware removal can be a tough job! The more you know, the better prepared you are to handle the 'stuff' that's coming out. If you think you'd be interested, check out some of the online forums that have online malware training> Bleepingcomputer, Geekstogo to name a couple.

    Here are some tools that will help you remove the remaining entries:
    McAfee Removal

    BitDefender Uninstall Tool
    For Internet Explorer:[​IMG]
    For Firefox: [​IMG]
    1. .After the download completes go to the location where you downloaded and run (double-click) it;
    2. .After a couple of moments the uninstall tool interface will appear;
    3. .Click Uninstall;
    4. .Wait for the tool to display the completion message and then restart your computer.

    Let me know if you need more help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...