Root Kit/2 iexplore. exe /pfloapob.sys

Solved
By sooyatnee
Jun 25, 2010
Topic Status:
Not open for further replies.
  1. I have 2 iexplore.exe( not one Explore.exe and one iexplore.exe) but 2 iexplore.exe are running in my task manager and I am finding when i play a game my Paging file is Overloaded, so I looked it up on your site and follwed the (8 Step).
    while I was running Gmer, which I was not supposed to because I have a 64 bit ; however I got the blue screen when your computer shuts down and it said the problem seems to be cause by the follwing file : pfloapob.sys - aparently its a rootkit ?
    So I successfully ran Avast, Malwarebytes, Combofix and TFC (cleaner)

    The Dds and Gmer adid not work, So Here are Malwarebytes, Combofix and Hijackthis Logs, cant seem to find the avast log but nothing was found, which it rarely ever does.



    Thank you for anyone who can help :)
    ~Meg

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    If you use Internet Explorer v8, multiple iexplore.exe processes are normal.

    I have noticed that you have multiple antivirus programs running.
    AV: avast! Antivirus
    AV: ESET NOD32 antivirus system 2.70
    AV: Norton AntiVirus

    You should decide which you want to keep and remove the others for the following reasons:
    • Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • Multiple antivirus programs can also slow down the system.

      If you are using a paid program, Consider removing the free programs. If you are using a Trial of a paid program, please decide which programs you would like to keep and remove the others. You will find the following removal tools helpful:
    • Avast Removal
    • Norton Removal Tool
    • Eset Nod32 Uninstall
    Note:Security programs are best removed while in Safe Mode. Download the removal tool and save to your desktop. Boot into Safe Mode
    [*] Restart your computer and start pressing the F8 key on your keyboard.
    [*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Please reboot the system when you have made the change.
    The only reference I find for pfloapob.sys other than your thread on the internet shows it is part of the GMER string. There is nothing about it being a Rootkit.

    The size of the page file is dependent on it's setting. you can find directions to change the page file on this Microsoft site: http://support.microsoft.com/kb/308417

    What happened when you ran DDS?
    Why are you running the scans in Safe mode with network support
    Why did you proceed to Combofix and HijackThis? Neither is in the preliminary steps HERE.

    HijackThis also does not work on a 64bit system but I looked at the log and it does not look like you have a 64bit OS.

    I recommend that you remove the following:
    Advanced SystemCare 3

    You have an entry loading from the Registry> Side-by-side assembly (WinSxS) followed by x86 but there is no -64 after it.

    After you have handled the above and run the correct scans, if you still think you have malware, run the correct program and leave the logs for us to review.
  3. sooyatnee

    sooyatnee Newcomer, in training Topic Starter

    Hi there,

    Thank you for your reply,

    Okay , I havent used Nod/Norton for years but thought it was fully removed.

    Pfloapob.sys - I did a search I must of misread the information

    When running the DDS the black window popped up for a second with no letters, and then went away....?

    I was under the impression that running a scan Safe mode with network support
    for accessing the internet while in safe mode was the best way to do it, is this a bad idea ?


    The combofix and HiJackThis I have had to use before and then saw this -

    http://www.techspot.com/vb/all/windows/t-70086-2-processes-of-IEXPLOREEXE-in-my-task-manager.html

    Not 64 bit.... 32?

    The main reason I decided to start checking things out is because I always get this wierd scratching sound come through my speakers when i have somethin nasty of my computer but if the Logs show nothing but the antiviruses and advanced system care as being the problem, it seems much easier to fix, hopefully :)

    Also, I wanted to ask you I usually always use firefox without problems, they came out with the new 3.6 and now my flash player crashes every time, I decided to try and put it back to the 3.5 and now firefox doesnt work at all, any ideas...?
    Do you know Why iexplore.exe is there 2ce, is it because of the tabs ?
    does it actually take up space on my paging file even when tabs are not open ?

    You need a password to downlaod the Nod32 removal tool, cant remember it. Going to try to remove it manually.

    How do I get rid of stuff like this
    O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://fortunelounge.microgaming.com/generic/FlashAX2.cab
    can I just use highjack this?

    Thanks
    ~Meg
  4. sooyatnee

    sooyatnee Newcomer, in training Topic Starter

    deleted and added to the first message
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Old information can often be wrong information. For a more current assessment of IE8 please see this:
    IE8- What Are They Thinking?

    Two things come to mind- first, Safe Mode with Networking does not run the security programs. So I don't advise it. IF you have any problem downloading and installing a program, it is best to do the download to a flash drive, then install on the problem computer. And also, some processes won't run in Safe Mode, meaning we won't see them.

    Bottom line? Run scans in Normal Mode when possible unless your helper or the program instructions direct you otherwise.

    So if multiple iexplore.exe processes are noted and you are running IE8 with no other 'symptoms', you are most likely seeing normal entries. but of course, malware can hide in almost any process, so if you experience other problems, it is always best to check for malware.

    Please recheck that information. Usually you only need a password if you try to reinstall after the uninstall. But if you can't do the tool, other options can be found HERE.

    Just finish the scan.

    I am not aware of any malware that causes a 'weird scratching sound.'

    The 016 entries in the log are Active X objects found in the Add-ons section of the browser: Open IE> Tools> Manage add-ons> remove those you don't want.

    I don't know what compatibility programs there are with FF v3.6 and the flash player. FF v3.6 was in beta last time I checked- if it still is, stay in the latest update for v5 until v6 is final.

    So far, this is not a malware problem. Please post in the Windows OS forum if these problems continue. I don't have the time to work on those system problems as this forum is very busy.


    Edit:
    Normal- like this:
    [​IMG]
  6. sooyatnee

    sooyatnee Newcomer, in training Topic Starter

    I apoligize, I really thought I had something else wrong but thank you. as for the DDS this is the screen the at popped up but with no letters and if there were it was gone to fast to read it and when I checked with my processes it wasnt running but no worries since I dont have anything seriously wrong in this area, i shouldnt need it.

    Thank you again Bobbye
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You're welcome. I came across it and copied the location.

    If there are no problems, you can Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    I'll close this thread now. If you need help in the future, let us know.

    Keep in mind that if you suspect malware, it is better to come to the forum and let us help you instead of gathering random programs and running scans.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.