Solved Two versions of iexplore.exe in Task Manager, Event ID 850

Status
Not open for further replies.
I Could Scream!

Bobbye:

I deleted CFScript.exe, and tried to run the ComboFix scan.

It is still stalling at the 32788R22FWJFW file - as soon as it hits Assoc.cmd, it can't read it.

I previously deleted this folder, but it came back, as I mentioned a few posts ago.

Is this file legitimate, or not? If not, how can I get rid of it? Or should we use a different malware scan?

I don't understand why we can't get past this point.
 
Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
==========================================
Reboot the computer.
==========================================
Run Please download ATF Cleaner by Atribune
This program is for XP, Vista and Windows 2000 only

  • [1] Double-click ATF-Cleaner.exe to run the program.
    [2] Under Main choose: Select All
    [3] Click the Empty Selected button.

    If you use Firefox browser
    [1] Click Firefox at the top and choose:Select All
    [2] Click the Empty Selected button.
    [3] NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    [1] Click Opera at the top and choose: Select All
    [2]Click the Empty Selected button.
    [3]NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.

=======================================
Reboot the computer.
======================================
NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode.
2. Delete Combofix file, download fresh one, but rename combofix.exe to
sunday.exe BEFORE saving it to your desktop.
Do NOT run it yet.
-------------------------------------
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.pif
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Rkill instructions
Once you've gotten one of them to run
  • immediately double click on sunday.exe to run
  • If normal mode still doesn't work, run BOTH tools from safe mode.

In you have done #2, please post BOTH logs, rKill and Combofix.

L:eave the new logs for me.

Also, please give me an update on the system.
 
Some Scan Logs

Bobbye:

1) I tried running my second version of ComboFix in Safe Mode. It began to scan, but it once again said Threatfire was still running on my machine, even though I deleted it last week. I ignored this, but when it came time to compile the report, it gave the message "This version is expired, do you want to complete scan w/reduced functionality?" I said No and aborted the scan. I uninstalled this version of Combofix, and downloaded a new version under "sunday.exe" to my Desktop.

2) I downloaded ATF Cleaner, which stalled on the first go-round. I reran it successfully, and rebooted.

3) I downloaded Rkill.com, which ran but said there were processes in use which it could not review, and showed nothing in the report. I decided to run it in Safe Mode, but on the reboot, there was a System Error Oxxx... - it went too fast for me to record it. I will have more comments re: this in my next reply.

The Rkill report follows:

Rkill was run on 07/13/2011 at 21:17:10.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\userinit.exe


Rkill completed on 07/13/2011 at 21:17:13.

Next is the log for ComboFix.
 
Combofix Log

I ran ComboFix as sunday.exe. Once it began, it yet again complained that Threatfire and Avira Antivir were running, even though Threatfire has been deleted, and I ran Safe Mode without networking (Antivir not on).

Here is the log:

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.803 [GMT -4:00]
Running from: c:\documents and settings\Karen\Desktop\sunday.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *Enabled/Updated* {67B2B9A1-25C8-4057-962D-807958FFC9E3}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-06-30 02:04 . 2011-06-30 02:04 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\Karen\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-27 23:09 . 2011-06-27 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-27 23:09 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-19 17:07 . 2011-06-19 17:07 -------- d-----w- c:\program files\Macrium
2011-06-19 16:47 . 2011-06-19 16:47 388096 ----a-r- c:\documents and settings\Karen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-17 02:25 . 2011-06-17 02:26 -------- d-----w- c:\program files\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-10 02:35 . 2011-05-19 20:55 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-05 02:05 . 2009-05-24 19:02 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-05 02:05 . 2009-05-24 19:02 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-30 08:38 . 2010-06-01 23:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-06-30 08:38 . 2010-06-01 23:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-06-30 08:38 . 2010-06-04 15:55 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-06-30 08:38 . 2010-06-01 23:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-06-30 08:37 . 2010-06-01 23:00 285256 ----a-w- c:\windows\system32\guard32.dll
2011-06-30 02:04 . 2010-05-24 02:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-20 00:10 . 2010-04-05 20:33 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-08 03:10 . 2011-06-08 03:10 12952 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2011-06-08 03:09 . 2011-06-08 03:09 16024 ----a-w- c:\windows\system32\drivers\pssnap.sys
2011-06-08 03:09 . 2011-06-08 03:09 45208 ----a-w- c:\windows\system32\drivers\psmounter.sys
2011-06-02 14:02 . 2007-01-31 22:25 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2008-03-17 19:29 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 04:56 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2007-01-31 22:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2007-01-31 22:25 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-26 11:07 . 2004-08-04 04:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-25 16:11 . 2007-01-31 22:27 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 03:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-07-01 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-06-30 2554696]
.
c:\documents and settings\Karen\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-04 23:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Karen^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCTCATS]
2006-11-21 12:27 106496 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcttime.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"wltrysvc"=2 (0x2)
"Fax"=2 (0x2)
"gupdate"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\lxctcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera9.64\\opera.exe"=
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [6/7/2011 11:09 PM 16024]
S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [7/25/2010 9:37 PM 41928]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [7/25/2010 9:37 PM 11776]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 11:55 AM 242600]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 7:00 PM 29400]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/14/2009 2:22 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 67656]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/25/2010 9:37 PM 2978720]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/24/2009 3:02 PM 136360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;gupdate;c:\program files\Google\Update\GoogleUpdate.exe [12/10/2010 2:15 AM 136176]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [6/7/2011 11:09 PM 220824]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/25/2010 9:37 PM 73728]
S3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [3/17/2008 6:25 PM 92550]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 12872]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [5/31/2009 3:08 PM 987648]
S3 VSTHWICH;VSTHWICH;c:\windows\system32\drivers\VSTICH3.SYS [5/31/2009 3:08 PM 242176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-14 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-02-27 16:28]
.
2011-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2011-03-04 16:14]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
2011-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-10 06:14]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{409FFF59-F53C-4044-B8A3-B561A6C73769}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{518C03EA-FDDF-4B78-B1D6-B4EAB72AF430}: NameServer = 156.154.70.22,156.154.71.22
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 21:33
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1060284298-1993962763-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(220)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
Completion time: 2011-07-13 21:36:34
ComboFix-quarantined-files.txt 2011-07-14 01:36
ComboFix2.txt 2011-06-30 03:12
.
Pre-Run: 58,418,487,296 bytes free
Post-Run: 58,405,531,648 bytes free
.
- - End Of File - - 6BDAB9C9B9D1804FF313A46335B2F00A
 
System Error Log shows problems upon reboot

Bobbye:

When I rebooted to run Rkill.com and ComboFix in Safe Mode, there was a System Error. I ran the scans, but my system Error Log shows a lot of the following:

DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server .....

DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server....

DCOM got error "%1084" attempting....service netman with argument....

(multiple instances w/2 different server designations)

Service Control Mgr: The following boot-start or system-start drive(s) failed to load: a2injectiondriver AFD APPD RV etc, etc.

Service Control Mgr: The IPSEC services service depends on the IPSEC driver which failed to start because of the following error: A device attached to the system is not functioning.

Svc Control Mgr: TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the error: A device attached to the system is not functioning.

Svc Control Mgr: The DNS Client service depends on the TCP/IP Protocol Driver service which failed.......device attached in not functioning.

And so on.

This looks bad - is it something I should be worried about?
 
Raktor scan logs

I ran Raktor twice. The first time, the screen showed:

exeHelper by Raktor
Build 20100414
Run at 22:30:43 on 07/13/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Error occurred while processing: exefile.
Error occurred while processing: .exe.
Resetting filetype association for .com
Error occurred while processing: comfile.
Error occurred while processing: .com.
Resetting userinit and shell values...
Resetting policies...
--Finished--

Press any key to continue . . .

Because of the errors, I ran it again. Here is the compiled log:

exeHelper by Raktor
Build 20100414
Run at 22:30:43 on 07/13/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 22:36:11 on 07/13/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


I would like to delete from my Desktop some of the stuff we've been using (Malwarebytes, GMER, ddr.scr, ATF-Cleaner, sunday.exe, the various logs, etc.) Can I do that now?

Please advise. Thanks very much.
 
Please just follow my directions. The error are indicating there wasn't an internet connection as you were running in Safe Mode. You should not be doing the scans in Safe Mode unless 1. you can't get into Normal Mode or 2. I instruct you to do something in Safe Mode.

Running in S/M does not load all the drivers and some things won't work.

The purpose of running RKill was to stop processes that were interfering with running Combofix. You don't understand the Event Viewer and are only making problems for yourself. Running in Safe Mode so your security won't run is not proper. You disable the security.

Tell me please- you you having any actual system problem from malware? If not:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
Status
Not open for further replies.

Similar threads

J
Solved Multiple instances of iexplore.exe in Task Manager
Replies
12
Views
23K
Broni
Broni
C
Solved Multiple IE running in task manager, Google search gets hijacked
Replies
16
Views
4K
Broni
Broni
hiker1092
Solved Multiple instances of iexplore.exe in Task Manager
Replies
23
Views
13K
Broni
Broni

Latest posts

Back