TechSpot

Problems with multiple iexplore.exe, slow system and pop ups

Solved
By Biolund
Jul 20, 2010
  1. I am hoping someone can help me solve a problem with multiple iexplore.exe showing up in the task manage that seem to slow the system down. Also occasionally I will get a full screen random add appear on the screen. After this happened I ended upgrading Malwarebytes’ anti-Malware, but it did not solve the problem. I do get a message “blocked access to a potential malicious website:94.75.229.139.
    I followed the 8 step instruction and here are my logs. I attached 3 of them due to insufficient space. Please help! !

    Malwarebyte log:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4332

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/20/2010 9:35:53 PM
    mbam-log-2010-07-20 (21-35-53).txt

    Scan type: Quick scan
    Objects scanned: 143948
    Time elapsed: 10 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  3. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Thank you Broni!!! Here is the output file from remover.exe:

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: b19ee33a0168d5f0bb9afbe12e2bc035

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Press any key to quit...

    Broni
    I forgot to tell you that the sound on my computer stopped working when the problem with multiple iexplore.exe started.
     
  4. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Full Malwarebyte scan log and protection log

    These two logs may be of interest too (attached)
     

    Attached Files:

  5. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Cleaning process instructions clearly say:
    So please, don't do anything else, but only what I ask you to do.

    =======================================================================

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START 
    remover.exe fix \\.\PhysicalDrive0
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.
     
  6. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Remove.exe log

    My apology! Here is the log:

    Bootkit Remover version 1.0.0.1
    (c) 2009 eSage Lab
    www.esagelab.com

    \\.\C: -> \\.\PhysicalDrive0
    MD5: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Press any key to quit...
     
  7. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Hi Broni

    Still have multiple iexplore.exe in task manager and Malwarebytes is blocking: IP-BLOCK 94.75.229.139

    Do you want me to turn Malwarebytes auto protect off or not? Also I have Symatech Endpoint Protection - should I disable that?
     
  8. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    None of those.
    Please, restart computer and check for iexplore.exe issue
     
  9. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Broni
    I am very pleased to tell you that the iexplore.exe no longer show up in the task manager and Malwarebyte's are not constantly blocking IP's. Your magi worked - thank you!!!! However, I still do not have any sound back? I am not sure if the problems are related or my speakers just decided to die. What do you think?
     
  10. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Magic that is:)
     
  11. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    I'm glad to hear good news :)
    We'll worry about your sound, when we make sure your computer is 100% clean.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
     
  12. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    ComboFix Log

    Here is the txt file that was created under C:\combofix. There was also a tex file created when ComboFix ended. I have attached that one since it was too long to paste

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
    \Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
    \Driver\atapi -> atapi.sys @ 0xb9e62852
    \Driver\iaStor -> iaStor.sys @ 0xb9e7cf78
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
    ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
    NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d68bb0
    PacketIndicateHandler -> NDIS.sys @ 0xb9d57a0d
    SendHandler -> NDIS.sys @ 0xb9d6bb40
    user & kernel MBR OK
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Combofix log looks good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =================================================================

    Download OTL to your Desktop.
    Alternate download: HERE

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Logs are too long to post - attached.
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Update your Java version here: http://www.java.com/en/download/installed.jsp
    During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    ======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
      IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1051
      FF - prefs.js..network.proxy.http_port: 1051
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
      @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  16. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    I followed you instructions. When I clicked “Run Fix” a box in the bottom of the program said “Terminating Processes DO NOT INTERRUPT”. However, nothing happened for 60 minutes and I ended up leaving the computer on overnight. This AM the computer was frozen with the message “preparing to standby”. I restarted it, but don’t dare to do anything else until further instructions.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Try to re-run the script.
    If it's still stuck after 30 minutes, or so let me know.
     
  18. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    I disabled Symatec and Malwarebyte's and it did the trick. Here is the first log. I will run the quick scan and post the log next.


    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 327814 bytes

    User: Soren
    ->Temp folder emptied: 14659751 bytes
    ->Temporary Internet Files folder emptied: 283614 bytes
    ->Java cache emptied: 83456 bytes
    ->FireFox cache emptied: 35481328 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    Windows Temp folder emptied: 18184 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 55.84 mb

    Error: Unable to interpret <[emptyflash]> in the current context!
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.1.17.0 log created on 07222010_210400

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  19. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Wait......
     
  20. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    You did something wrong...
    Most likely, you didn't copy my whole script. Make sure, you copy everything, including a "colon" in front of "OTL" (1st line of script).
     
  21. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    Really? I can try to run the script again. Here is the second log if it is any use.

    OTL logfile created on: 7/22/2010 9:12:35 PM - Run 2
    OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Soren\Desktop
    Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.99% Memory free
    3.84 Gb Paging File | 3.48 Gb Available in Paging File | 90.55% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 149.05 Gb Total Space | 24.07 Gb Free Space | 16.15% Space Free | Partition Type: NTFS
    D: Drive not present or media not loaded
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: SOREN-F45C19F2A
    Current User Name: Soren
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 14 Days
    Output = Standard
     
  22. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Please, read my post #20.
     
  23. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    I ran the script again copying it careful. Here is the log:

    All processes killed
    ========== OTL ==========
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
    Prefs.js: 1051 removed from network.proxy.http_port
    Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
    Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 .
    Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 .
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Soren
    ->Temp folder emptied: 17024 bytes
    ->Temporary Internet Files folder emptied: 33659 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 6161068 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    Windows Temp folder emptied: 318 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 5.99 mb

    Error: Unable to interpret <[emptyflash]> in the current context!
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.1.17.0 log created on 07222010_211830

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  24. Biolund

    Biolund TS Rookie Topic Starter Posts: 32

    And here is the quick scan log - attached
     

    Attached Files:

  25. Broni

    Broni Malware Annihilator Posts: 47,048   +255

    Now, you're talking :)

    Last scan....

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.