Solved Problems with multiple iexplore.exe, slow system and pop ups

Status
Not open for further replies.

Biolund

Posts: 32   +0
I am hoping someone can help me solve a problem with multiple iexplore.exe showing up in the task manage that seem to slow the system down. Also occasionally I will get a full screen random add appear on the screen. After this happened I ended upgrading Malwarebytes’ anti-Malware, but it did not solve the problem. I do get a message “blocked access to a potential malicious website:94.75.229.139.
I followed the 8 step instruction and here are my logs. I attached 3 of them due to insufficient space. Please help! !

Malwarebyte log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4332

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/20/2010 9:35:53 PM
mbam-log-2010-07-20 (21-35-53).txt

Scan type: Quick scan
Objects scanned: 143948
Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

Attachments

  • Gmer.log
    12.5 KB · Views: 2
  • DDS.txt
    18.7 KB · Views: 2
  • Attach.txt
    13.6 KB · Views: 0
Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Thank you Broni!!! Here is the output file from remover.exe:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: b19ee33a0168d5f0bb9afbe12e2bc035

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Press any key to quit...

Broni
I forgot to tell you that the sound on my computer stopped working when the problem with multiple iexplore.exe started.
 
Full Malwarebyte scan log and protection log

These two logs may be of interest too (attached)
 

Attachments

  • mbam-log-2010-07-21 (08-52-27).txt
    983 bytes · Views: 1
  • protection-log-2010-07-21.txt
    7.6 KB · Views: 1
Cleaning process instructions clearly say:
DO NOT make any other changes to your computer (e.g. installing programs, using other cleaning tools, etc.), until it's officially declared clean!!! DO NOT make any Registry Changes. And it is recommended that if you are running any Registry editing program, that you either uninstall or disable that while we are in the cleaning process
So please, don't do anything else, but only what I ask you to do.

=======================================================================

Open Notepad
Copy and paste following text into Notepad:
Code:
@ECHO OFF
START 
remover.exe fix \\.\PhysicalDrive0
EXIT
Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.
 
Remove.exe log

My apology! Here is the log:

Bootkit Remover version 1.0.0.1
(c) 2009 eSage Lab
www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0
MD5: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Press any key to quit...
 
Hi Broni

Still have multiple iexplore.exe in task manager and Malwarebytes is blocking: IP-BLOCK 94.75.229.139

Do you want me to turn Malwarebytes auto protect off or not? Also I have Symatech Endpoint Protection - should I disable that?
 
Broni
I am very pleased to tell you that the iexplore.exe no longer show up in the task manager and Malwarebyte's are not constantly blocking IP's. Your magi worked - thank you!!!! However, I still do not have any sound back? I am not sure if the problems are related or my speakers just decided to die. What do you think?
 
I'm glad to hear good news :)
We'll worry about your sound, when we make sure your computer is 100% clean.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix Log

Here is the txt file that was created under C:\combofix. There was also a tex file created when ComboFix ended. I have attached that one since it was too long to paste

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9e62852
\Driver\iaStor -> iaStor.sys @ 0xb9e7cf78
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d68bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d57a0d
SendHandler -> NDIS.sys @ 0xb9d6bb40
user & kernel MBR OK
 

Attachments

  • ComboFix.txt
    22.1 KB · Views: 1
Combofix log looks good :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

=================================================================

Download OTL to your Desktop.
Alternate download: HERE

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

======================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:1051
    FF - prefs.js..network.proxy.http_port: 1051
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    
    :Services
    
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring" =-
    
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [resethosts]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
I followed you instructions. When I clicked “Run Fix” a box in the bottom of the program said “Terminating Processes DO NOT INTERRUPT”. However, nothing happened for 60 minutes and I ended up leaving the computer on overnight. This AM the computer was frozen with the message “preparing to standby”. I restarted it, but don’t dare to do anything else until further instructions.
 
Try to re-run the script.
If it's still stuck after 30 minutes, or so let me know.
 
I disabled Symatec and Malwarebyte's and it did the trick. Here is the first log. I will run the quick scan and post the log next.


->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 327814 bytes

User: Soren
->Temp folder emptied: 14659751 bytes
->Temporary Internet Files folder emptied: 283614 bytes
->Java cache emptied: 83456 bytes
->FireFox cache emptied: 35481328 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 18184 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 55.84 mb

Error: Unable to interpret <[emptyflash]> in the current context!
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.17.0 log created on 07222010_210400

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
You did something wrong...
Most likely, you didn't copy my whole script. Make sure, you copy everything, including a "colon" in front of "OTL" (1st line of script).
 
Really? I can try to run the script again. Here is the second log if it is any use.

OTL logfile created on: 7/22/2010 9:12:35 PM - Run 2
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\Soren\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.99% Memory free
3.84 Gb Paging File | 3.48 Gb Available in Paging File | 90.55% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 24.07 Gb Free Space | 16.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SOREN-F45C19F2A
Current User Name: Soren
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
 
I ran the script again copying it careful. Here is the log:

All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Prefs.js: 1051 removed from network.proxy.http_port
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ not found.
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8 .
Unable to delete ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 .
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring deleted successfully.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Soren
->Temp folder emptied: 17024 bytes
->Temporary Internet Files folder emptied: 33659 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 6161068 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 318 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.99 mb

Error: Unable to interpret <[emptyflash]> in the current context!
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.1.17.0 log created on 07222010_211830

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
Now, you're talking :)

Last scan....

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Status
Not open for further replies.
Back