Solved Suspicious iexplore.exe processes always running

[Bigtuna00]

# AdwCleaner v2.001 - Logfile created 09/09/2012 at 16:53:16
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Parents - PARENTS-PC
# Boot Mode : Normal
# Running from : C:\Users\Parents\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\Parents\AppData\Roaming\Mozilla\Firefox\Profiles\yjiglzqp.default\searchplugins\search.xml

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Parents\AppData\Roaming\Mozilla\Firefox\Profiles\yjiglzqp.default\prefs.js

Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Parents\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1144 octets] - [09/09/2012 16:53:16]

########## EOF - C:\AdwCleaner[R1].txt - [1204 octets] ##########

 

[Bigtuna00]

Running ESET Scanner from Chrome; the steps are slightly different. I tried to run it from IE and it failed. The pop-up window just showed a red X after some minutes (like a missing image). Just FYI.

 

[Bigtuna00]

5 threats so far (46% done)..bummer

 

[Bigtuna00]

C:\Qoobox\Quarantine\C\ProgramData\21guOreO.exe.virWin32/TrojanClicker.Agent.NEB trojancleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\ProgramData\21guOreO.exe_.virWin32/TrojanClicker.Agent.NEB trojancleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\Parents\AppData\Roaming\qmrds.dll.vira variant of Win32/Medfos.DE trojancleaned by deleting - quarantined
C:\Users\Parents\AppData\Local\{96AE75BE-F722-11E1-8270-B8AC6F996F26}\chrome\content\browser.xulJS/Redirector.NIQ trojancleaned by deleting - quarantined
C:\Users\Parents\Desktop\RK_Quarantine\qmrds.dll.vira variant of Win32/Medfos.DE trojancleaned by deleting - quarantined

 

[Bigtuna00]

Looks like 4 of them were just leftovers from other tools? Also just FYI I checked "delete quarantined" and "uninstall on exit" for ESET Scanner.

 

[Broni]

• Close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the contents of that logfile with your next reply.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

• Double click on adwcleaner.exe to run the tool.
• Click on Uninstall.
• Confirm with yes.

====================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Bigtuna00]

# AdwCleaner v2.001 - Logfile created 09/09/2012 at 17:50:28
# Updated 09/09/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Parents - PARENTS-PC
# Boot Mode : Normal
# Running from : C:\Users\Parents\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Parents\AppData\Roaming\Mozilla\Firefox\Profiles\yjiglzqp.default\searchplugins\search.xml

***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v15.0 (en-US)

Profile name : default
File : C:\Users\Parents\AppData\Roaming\Mozilla\Firefox\Profiles\yjiglzqp.default\prefs.js

C:\Users\Parents\AppData\Roaming\Mozilla\Firefox\Profiles\yjiglzqp.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Parents\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1779 octets] - [09/09/2012 17:50:28]

########## EOF - C:\AdwCleaner[S1].txt - [1839 octets] ##########

 

[Bigtuna00]

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: 2cruzers
->Temp folder emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Parents
->Temp folder emptied: 1878 bytes
->Temporary Internet Files folder emptied: 3683660 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 8315639 bytes
->Flash cache emptied: 598 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3116 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 11.00 mb


[EMPTYFLASH]

User: 2cruzers

User: Administrator

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Parents
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: 2cruzers

User: Administrator

User: All Users

User: Default

User: Default User

User: Parents
->Java cache emptied: 0 bytes

User: Public

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.61.3 log created on 09092012_175336

Files\Folders moved on Reboot...
C:\Users\Parents\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Bigtuna00]

Working on the rest. Do you have an opinion about Bitdefender (vs MSE)? Thinking of upgrading my parents AV to something else.

 

[Bigtuna00]

I've got 5 or 6 items in Programs and Features that I uninstalled yesterday. Clicking uninstall gives a Windows Installer dialog saying "The feature you are trying to use is on a network resource that is unavailable". It's looking for the msi files usually, but I no longer have them. It's not giving me the option to just remove the entries (I.e. sometimes it will say something about the program has already been uninstalled and do you want to remove the entry?). Some of these I will probably re-install but not all of them. Any suggestions?

EDIT: This seems to be working: http://support.microsoft.com/kb/971187

 

[Broni]

Do you have an opinion about Bitdefender (vs MSE)?

I don't rate AV programs. To me they're all pretty much equal.

13. Please, let me know, how your computer is doing.

 

[Bigtuna00]

13. Please, let me know, how your computer is doing.

Cleared out the bogus uninstallation entries, got everything re-installed, running a full scan with BitDefender (estimated 1 hour + remaining) but so far everything seems fine.

Thanks again for all your help, I think my parents are interested in donating

 

[Broni]

Way to go!!
Good luck and stay safe