internet explorer slow to open,task manager shows two instances of iexplore.exe I believe I have some type of infection. I would appriciate any help.

Attached Files

	hijackthis.log (12.1 KB, 2 views)
	mbam-log-2008-11-20 (17-08-26).txt (6.4 KB, 4 views)
	SUPERAntiSpyware Scan Log - 11-20-2008 - 17-50-47.log (670 Bytes, 5 views)

Hi arbor13

When any cleaner is ran, it is possible that after one run that removes certain powerful Malware, then it exposes more that were not even seen on the first run.

The goal is to get these to come up clean or find something it can not handle.

So run both MBAM and SAS again and post the logs.

Good job so far.

Mike

ran both programs again, came up 0 detected. still slow internet explorer slow to open,task manager shows two instances of iexplore.exe I believe I have some type of infection. I would appriciate any help.

hi arbor13

Yes you likely do have more!

OK next step.

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/R...ools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-clickto RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Copy and paste the Report.txt file to your next post.

Mike

Mike,
Ran the SDFix program. Here is the log file:


SDFix: Version 1.240
Run by paul schneeweiss on Mon 11/24/2008 at 09:32 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-11-24 09:47:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"C:\\Program Files\\eSignal\\winros.exe"="C:\\Program Files\\eSignal\\winros.exe:*:Enabled:eSignal Data Manager"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Thu 29 Aug 2002 24,448 A.SHR --- "C:\NTBOOTDD.SYS"
Wed 10 Jan 2007 30,720 ...HR --- "C:\WINDOWS\CdaC13BA.EXE"
Wed 10 Jan 2007 112,128 ...HR --- "C:\WINDOWS\CdaC14BA.DLL"
Fri 22 Aug 2008 637,984 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Sat 5 Aug 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Sep 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 12 Sep 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Mon 13 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 21 Dec 2006 19,762,176 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL0005.tmp"
Thu 4 Jan 2007 2,050,048 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborHomeBldrs\~WRL2070.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL0332.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1234.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL1591.tmp"
Tue 4 Nov 2008 19,968 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3575.tmp"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\My Documents\ArborWest\~WRL3992.tmp"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Tue 4 Nov 2008 19,456 ...H. --- "C:\Documents and Settings\paul schneeweiss\Application Data\Microsoft\Word\~WRL0004.tmp"

Finished!

Thanks for your help. What next? Internet explorer still slow to load and 2 instances of iexplore.exe still in task manager.

Hi Arbor

Thought you weren't comming back.

Do the below and ATTACH the log!

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

After the above (not before) then post a new HJT log

Once I see this log clean we will address your slowness and IE issues. But Malware removal comes first.

Just so SOMEONE thinks I am missing multiple Virus Scanners I am not, and this HJT log may or may not get cleaned this time, but will be before we are finished.

Mike

Well Mike, I DO notice and will take issue at the multiple antivirus programs running not being handled.

arbor13, only one antivirus program should be running. You have processes loading from 3 antivirus programs plus you have an online scanner running in the background. The reason this needs to be handled now is because the multiple programs can cause a conflict that may leave you with little or NO AV protection. Decide which one you want to keep, remove the entries for ALL of the other programs, uncheck them on startup and unistall them.

Additionally, you're running Nortons Ghost, backing up your infected files. You need to disable that program for now. When you system us clean, the old infected restore points will be dropped- they show infected in Mbam- so do NOT use system Restore, so why continue backing up infected files?

These are the entries, programs and Services you need to be concerned with:

Ok Arbor

You can do the above now if you want.

My priority is to get you clean of Malware and then address these system issues.

If you do the above first before we get you clean my recommendation is Avira if you get rid of one.

Or if you like Mcafee then you can actually have to Virus scanners as long as only one is online Active. In this case it is a on Command scanner and has to be explicitly updated and ran.

Your choice.

The AVG Antispyware is defunct and needs to be uninstalled.

All of these I would do when you are clean.

Mike

Mike,
Followed your instructions:

The Combofix.exe log and HJT log are attached.

I have comcast cable internet service and they provide free Mcafee, so I would like to keep that, unless there is something better.

I read the other reply and am not sure how to go about removing the other scanners, or how to keep it loaded but only when I want to run it.

Please let me know and I will make those changes.
Thanks,
Paul

Attached Files

	Combofix-log.txt (15.3 KB, 1 views)
	hijackthis.log (11.7 KB, 1 views)

OK so we keep Mcafee

Reboot

Run Combofix again and post log

Use HJT Scan only to remove the below.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Then go into Control panel Add/Remove programs and uninstall AVG Anti-Spyware and Avira AntiVir

Post new HJT log after all the above.

Mike

Mike,
Followed your last instructions.

Attached are the new Combofix log and the HJT log. Also removed AVG anti-spyware and Avira AntiVir.

Just a quick question. I have been trying to keep up with what is being done, but wondering what type of Malware this computer is infected with. Is it still infected?

Will await further instructions.
Thanks for your help,
Paul

Attached Files

	Combofix2-log.txt (14.5 KB, 1 views)
	hijackthis2.log (10.0 KB, 3 views)

Ok well you don't now you are clean

except appearently you did not do the HJT deletions.

Run HJT Scan only place check mark in boxes by these and then delete
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll (file missing)
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)

At your option in Add/Remove Programs uninstall a2 not a cpu hog but not really needed

As to what you had, read the MBAM logs look under infection and found deleted quarantined and you will see them.

I am at work now but will make closing suggestions on how to stay clean later tonight or in the morning.

Mike

Mike,
I followed your last instruction and removed the 2 HJT entries. Also removed A2.

I then opened Internet Explorer and still have the same problem, with 2 processes showing up in task manager. One of them is 25,272K and the other is 1,076K (just leaving IE open). If I try and End Process on the small one, Internet Explorer closes immediately. If I try and End Process on the larger one, I get a little bubble saying that "This tabs has been recovered A problem with this webpage caused Internet Explorer to close and reopen this tab" and the mem usage goes down to about half and then back to 25K again.

I'm concerned that there still is something wrong with this computer. Please let me know what you think and how to proceed.
Thanks again,
Paul

Not malware or Virus.

A misconfiguration.

Do Number 1 only here: http://www.techspot.com/vb/post680361-2.html

But do it from Internet Options in Control panel with IE Closed.

Mike

Sorry it took so long to reply, but I was away for the holidays.

Mike, I followed your instructions and RESET internet explorer. Did not help.

Bobbye, there are two IEXPLORE.EXE processes that show up in Task Manager as soon as I open internet explorer.

Without doing anything in Internet Explorer but opening it, this is what shows in Task Manager:

iexplore.exe username 00 17,152 K
iexplore.exe username 00 19,412 K

If I end task on the smaller one (first one) it closes internet explorer immediately and both processes disappear. If I end task on the larger one (second one) both processes remain and I receive an error message in internet explorer stating "This tab has been recovered A problem with internet explorer cause it to close and reopen this tab".

I have checked other computers, and they only show 1 entry in task manager. Therefore, I think I am still infected with something on this computer. No idea what though. Hope you can point me in the right direction.

Mike has been very helpful to this point.

Thanks in advance for your help and support.
Paul

This was overlooked:
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00

IE8 is still in beta testing. That means there are still bugs to work out. Only beta testers should be using the beta versions of software.

Suggest you uninstall IE8 and go back to IE7 if that's what you were using.

That possibly might be the problem.

EDIT: IF this hasn't been done, please verify that this is your ISP:
From description of OpenDNS: To use OpenDNS, all you have to do is open your Network Connections or Router’s settings page and update the default DNS server to point to the OpenDNS nameservers that are 208.67.222.222 and 208.67.220.220.
208.67.222.222
OrgName: OpenDNS, LLC
OrgID: OPEND-2
Address: 199 Fremont St.
Address: 12th Floor
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US
O17 - HKLM\System\CCS\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{129B3878-F654-4D0C-A5AC-CFC2ED8663E0}: NameServer = 208.67.222.222,208.67.220.220

Good catch Bobbye

I did miss that it was IE8, I think you hit the nail on the head.

I will add that after you uninstall IE8, that if you still have issues that you consider overlaying /reinstall IE7.

Bobbye may have some thoughts on this also.

Mike

Bobbye & Mike,

I uninstalled IE8 and am back to IE7 with all 13 updates. IEXPLORE.EXE only appears once in the task manager and it loads the first page in about 3 seconds. Much better.

I was wondering if you could look at the attached file (screen capture) of my task manager.

GoogleDesktop.exe is showing up twice. Also, SVCHOST.exe shows up 6 times. Is this normal or is there still a problem with this computer?

Thanks again for your help in getting Internet Explorer running again and removing the MALWARE.
Paul

Attached Files

TaskManager.doc (22.5 KB, 2 views)

Bobbye & Mike,

I also wondered what I would need to clean up (delete) from all of the MALWARE scanning programs that were downloaded to my computer. Please let me know.

Thanks,
Paul