Solved Very serious virus - iexplore.com redirecting and won't let me do restore

[gw157]

I recently noticed serious malware/trojan in my laptop. I started noticing audio in my laptop activating every 10 minutes with some voice Ads. Taskmanager shows iexplorer.com hogging the resources. When i disable the iexplorer in taskmanager, audio stops, but few minutes later it is back.

I did the live care online scan with microsoft (it detected 15 malware, and it removed them) but the problem persist. i google various antimalware, but when I click on the link it always redirects to weird site, or sometimes it won't let me connect at all.

I finally downloaded malwarebytes free malware scan, but my computer won't let me open. I restarted my computer in safe mode and opened the download there. i ran it first time using quick scan in safe mode, it detected 15 problems... I went back to normal startup, the audio problem stopped, but redirecting from google and iexplorer reappearing and hogging resources continue (no matter how much i deactivate it - and my internet explorer is never open).

i went back to safe mode, and ran the malwarebytes doing full scan, this time it detected 2 problems and deleted them.

However that didn't take care of the problem.. I still have iexplorer showing up in my taskmanager. i ran the full scan in safe mode for 3rd time... this time 1 problem was detected and removed, and this time I try to restore function in my computer. Computer restarted but it failed to restore to the set time, and no change was made to my computer.

i try to download prevx3.0, but again computer wouldn't let me open it.. and i had to open in safe mode and scan it in regular mode via online scan.. but no malware was detected..

I try to goto superantispyware.com website, but my firefox or google chrome can't connect to that site... DNS failure was the error. it connects to other sites, but not that site. i accessed the superantispyware.com from my desktop, and downloaded the free scan to my usb and transferred to my infected laptop.

Even in safe mode, the computer states the "the system administrator has set policies to prevent this installation" it won't let me install the program. It is not a network computer and i am the only one using this computer so somehow the virus is preventing antispyware prgroam from being installed. i try todo system restore from safe mode, and it won't let me do that either.. "fail to restore to set date, no change has made to your computer"..

I am at wits end.. any help would be appreciate it.. thanks..

I

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

 

[gw157]

I try the link to combofix, and just as the virus won't let me access the antispyware.com site, it won't let me access the combofix site. I get an error message "server not found".. anyway to get around this?

 

[gw157]

I tried the second link to combofix, and the virus is redirecting me to some foreign language website...

 

[Broni]

Download Combofix on another computer.
Rename combofix.exe to broni.exe.
Move the file to bad computer, using USB flash drive and run it.

 

[gw157]

Here is the log from combofix and hijackthis

Thanks for your help.. Here are the log files..View attachment hijackthislog.txt

View attachment Combofixlog.txt

 

[gw157]

BTW, combofix found and deleted 5 rootkeys... and seem to have resolve the redirecting issue... i am still monitoring the task manager to see if iexplorer appears again..

 

[Broni]

Before running following script, please move broni.exe file from drive E (your flash drive?) to your computer desktop as I asked initially.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\PREVXCSIFREE.EXE
c:\documents and settings\All Users\Application Data\fiosejgfse.dll
c:\windows\{6484F353-C631-4B34-AC85-4DA63A1A49EC}.dat
c:\windows\{81A9A1A5-D0AE-44A7-9355-20099131B17F}.dat
c:\windows\{8EB60B99-65F3-44DF-96AE-0721416152C6}.dat
c:\windows\{BAED3E9D-4352-45C2-9862-5E4F13349821}.dat
c:\windows\{E138755D-A192-4170-917C-BC47CCF64518}.dat
c:\windows\{E8F5F400-27F7-4A93-A38A-5000B6921CD7}.dat
c:\windows\{EE8213ED-DCBD-47E7-BF2C-B904D2CF00FA}.dat
c:\windows\system32\{5A4BAECA-B4DA-4BEF-88F6-37F007606BEF}.dat
c:\windows\system32\{94BB7B6C-4FA6-42AD-8AA5-860875DF85EB}.dat
c:\windows\system32\{BC46D06A-A148-4CCE-B37F-3D6858DC4C72}.dat
c:\windows\system32\{C0641D9C-5904-4C0B-859B-B698C85C2389}.dat
c:\windows\system32\{E0D8E8C9-AD9C-453A-93E3-54D78D1CD81C}.dat
c:\windows\system32\{F18CAA39-87EB-4B54-A406-AE8F69AE7746}.dat
c:\windows\system32\{F8DBD188-75AA-417E-B804-0EE0026FDA99}.dat
c:\windows\system32\drivers\pxkbf.sys
.

Folder::
c:\windows\_VOIDqvnfteixth


Driver::
pxkbf

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[gw157]

My keyboard and mouse froze up after 2nd combofix run

Hi,

i did exactly as you said.. as soon as i try to type in naming the combofixlog, my keyboard and mouse froze... i restarted the computer and try to type into techspot, the keyboard and mousepad froze up...

mouse works fine, but as soon as i type something, everything freezes up.. my feeling is one of the driver got corrupted in this combofix run... i am typing this from another computer. any suggestion on how to fix this? thanks

BTW, on the second run of combofix, there were approximately 15 files that were deleted...

 

[gw157]

here is the log from combofix and hijackthis2

I was able to transfer the logsto usb, and I am using different computer to upload this...

As soon as I type in something, keyboard and mousepad freezes.. I am trying to goto dell.com to upadate the driver..

But here are the log..

View attachment combofixlog2.txt

View attachment hijackthislog2.log

 

[Broni]

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[gw157]

My keyboard is corrupted

right now i can't type anything in my computer, because after a second run of combofix, the keyboard and mousepad freezes if i try to input any letter from the keyboard.. how do i rectify this?

Dell website don't seem to have driver for keyboards for laptop... should i use restore function from windows?

 

[gw157]

since i can't type anything in my computer, should i just run the malwarebytes without uninstalling the combofix?

Again I am using my desktop to post this.... my keyboard got corrupted and dell don't seem to have a driver for this..

 

[gw157]

help... i need anybody who has a knowledge of getting my keyboard function back in my laptop to please post... thanks

 

[Broni]

Please run Malwarebytes without uninstalling Combo.
DO NOT use system restore as it'll bring all infection back.

 

[gw157]

ok... I am running it now... I tried to load several drivers from dell website, but none of them work... i tried running dell driver reset tool... and it says vxd loader needs fixing.. microsoft keyboard.. do you want to fix it. when i click yes, it goes into diagnostics and it restarts the computer, but the problem persists.

the keyboard is part of windows os, it shouldn't require special driver. Some registry is corrupted..i need to restore that to get my keyboard back..

BTW, i am running malwarbytes right now. I set it as quick scan ( i wasn't sure whether you wanted full or quick scan). I'll get you the log as soon as it finishes the scan.

 

[gw157]

Log from malwarebytes

Here is the result of quickscan from malwarebytes..It detected on malware, but the location is from REcycle Bin...so I don't know if you want me to delete it.

View attachment mbam-log-2010-03-07 (16-04-30).txt

 

[gw157]

log from hijackthis, and malwarebytes

After deleting the checked malware from the malwarebytes, the computer restarted, and I ran the hijackthis..

HEre are the log for both of them post removal of malware..

View attachment mbam-log-2010-03-07 (16-12-13).txt

View attachment hijackthislog3.log

 

[Broni]

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

 

[gw157]

i did as exactly you said.. after 3 hours of scanning from online kaspersky, the program just hanged and stalled for 40 minutes after 97% scan completed. The scan so far detected 8 infections..

But i tried to view the report, it won't allow me because the scan was not completed. i tried to stop the scan and view the report, still it won't let me. long story short, i know there are some infections still present but i don't know where they are.

i am running the kaspersky again from scratch and hope that it won't stall.

i also took look at the device manager for my keyboard problem. IT has a driver problem and when i tried to reinstall it from windows XP CD, it wasn't successful. it says the registry is corrupted. do you know if this is from the virus? or is it from combofix? How do i get the registry back so I can get my keyboard functioning again?

thanks

 

[Broni]

We'll get to your keyboard issues, when we know for sure, your computer is clean.
If you're still having problems with Kaspersky, here is an alternative...

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[gw157]

Here are the log files

View attachment esetlogscan.txt

View attachment hijackthis4.txt

 

[gw157]

eset scan detected 5 or 6 infections. i quarantined them and ran hijackthis scan. kaspersky detected 8 infections before stalling out. - ran it 2x and stalls out at the same file.

i really need toget my keyboard functioning again.-HELP

 

[Broni]

Those discovered files are OK.
Some of them were in Combofix quarantined folder and the other ones in restore points, which we'll reset in a moment.
It looks like Combofix didn't uninstall correctly, so make sure, you delete any of the following files, if found:
Delete Combofix, Qoobox folders,and Combofix.txt file from C:
Delete broni.exe from your desktop..

=======================================================================

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

========================================================================

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

=========================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKUS\S-1-5-21-446617304-2142562485-3693692941-1008\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'QBDataServiceUser17')
O4 - HKUS\S-1-5-21-446617304-2142562485-3693692941-1008\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'QBDataServiceUser17')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

 

[gw157]

Hi,

here is the hijackthis log

View attachment hijackthis5.txt

I noticed this file repopulated after restart
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

I did as you said w/ checking "fix checked" box and restarting.

thanks.

can you also guide me in getting my keyboard functioning.

thank you