Inactive Iexplore.exe processes pop up, apparent rootkit infection

Status
Not open for further replies.
D

DoktrMik

Posts: 68   +0
There seem to be a number of people with this issue, and I've tried to follow some of the other threads here to resolve.

When connected to the net I get a pair of iexplore.exe processes appearing and then popups randomly appear. When I'm not on the net there's no noticeable problem.

I've attached DDS and GMER logs, but also tried the eSage Bootkit Remover which believes I have a problem:

----------------
Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 305658c5e95259df8541c6683a71d729

Size Device Name MBR Status
---------------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks

--
Unfortunately a fix operation doesn't resolve this (using the creation of a .bat file I've seen on these forums). I still get this message and I'm wondering if perhaps I need to consider running the Recovery console and doing a fixmbr...

Thanks in advance for any suggestions.
DM
 

Attachments

  • Attach.txt
    29.4 KB · Views: 1
  • DDS.txt
    18.7 KB · Views: 3
  • gmer.log
    16.5 KB · Views: 1
Malwarebytes log is missing, so please, provide that.

Also...

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.
 
Hi Broni, Thanks for your reply.

Sorry 'bout missing the log. I ran several iterations of Malwarebytes, so I'll have to include them all. Originally when i got the virus it would not let me start MBAM nor browse to their web site but after starting MBAM in safe mode I was able to update and move past that issue.

Notices of infection from MBAM logs (I can attach the full log files if you want)

Files Infected:
C:\System Volume Information\_restore{82431C6D-9B9C-4BFD-842B-FA5E1956B109}\RP488\A0082413.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{82431C6D-9B9C-4BFD-842B-FA5E1956B109}\RP488\A0082427.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{82431C6D-9B9C-4BFD-842B-FA5E1956B109}\RP488\A0082518.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Temp\regbak\ERDNTWIN.OVL (Trojan.Banker) -> Quarantined and deleted successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.79,93.188.166.229 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce8b9f7f-8036-41d9-b0de-3f644b017594}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.79,93.188.166.229 -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.


As you suggested, I ran MBRCheck:


MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done! Press ENTER to exit...



Thanks again!
 
OK. Now you have to explain to me, what all those drives are and where is Windows installed.
 
Windows is installed on C. The other partitions don't contain an OS but are used for music, artwork, backups, etc. They just contain files, in other words, and I'd never boot from them.
 
Rerun MBRCheck.
Enter 'Y' and hit ENTER for more options and select option "2".
When asked for physical disk number, enter 0 (zero).
Next, enter 1 (Windows XP) for MBR code.
Post resulting log.
 
Really appreciate your help...

MBRCheck, version 1.1.1
(c) 2010, AD


\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!

Please reboot your computer to complete the fix.

Done! Press ENTER to exit...

---

I rebooted without issues, and ran MBRCheck again:

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done! Press ENTER to exit...
 
It actually looks good! :D

Do I need to worry about the MBR code detected on the other drives? I assume I should also do another full MBAM scan to check things are OK?

Many thanks, Broni. It makes me mad that there are people writing these viruses, but it makes me happy that there are people like you around to help out :)
 
Dammit, I spoke too soon. After a few minutes some iexplore.exe processes turned up. I killed them and disconnected.

Things have improved though. Before when I'd go online by AV software would immediately complain that it was blocked IP connections. Now that's gone but I guess the iexplore issue is not.
 
No, you don't have to worry about other MBR codes, but there is a good chance, that some infection may be still present.
We better check.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Sorry, I pasted it first which was clearly a bad idea. Now the log is attached... :)
 

Attachments

  • ComboFix.txt
    31.9 KB · Views: 6
Indeed I did a few days ago - here's the log. Bear in mind I've tried a few other things since then.
 

Attachments

  • ComboFix2.txt
    31 KB · Views: 3
Seems OK...

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2


Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done! Press ENTER to exit...
 
OK. We have to be very careful here, when dealing with MBR, so I need more info....

From what I can see, we have:
- drive0: two partitions C and E (Windows XP on C partition)
- drive1: one partition J
- drive2: three partitions F, G and Q
- drive3: one partition I
Is that correct?
All internal drives?
 
Correct - they're all internal drives. Your description is correct except for drive 2 also has partition H, so there are four in total there.
 
Rerun MBRCheck.
Enter 'Y' and hit ENTER for more options and select option "2".
When asked for physical disk number, enter 1.
Next, enter 1 (Windows XP) for MBR code.
Post resulting log.
 
MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!
Please reboot your computer to complete the fix.

Done! Press ENTER to exit...


and after a reboot:

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\E: --> \\.\PhysicalDrive0
\\.\F: --> \\.\PhysicalDrive2
\\.\G: --> \\.\PhysicalDrive2
\\.\H: --> \\.\PhysicalDrive2
\\.\I: --> \\.\PhysicalDrive3
\\.\J: --> \\.\PhysicalDrive1
\\.\Q: --> \\.\PhysicalDrive2

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows XP MBR code detected
465 GB \\.\PhysicalDrive2 Known-bad MBR code detected (Whistler / Black Internet)!
111 GB \\.\PhysicalDrive3 Known-bad MBR code detected (Whistler / Black Internet)!
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done! Press ENTER to exit...
 
Looks good :)

Reboot.

Rerun MBRCheck.
Enter 'Y' and hit ENTER for more options and select option "2".
When asked for physical disk number, enter 2.
Next, enter 1 (Windows XP) for MBR code.
Post resulting log.
 
Status
Not open for further replies.

Similar threads

dubs1987
Solved Possible virus infection (slowing down of browsing, programs, etc)
Replies
22
Views
5K
Broni
Broni
M
Solved I need help removing a rootkit
2
Replies
40
Views
13K
Broni
Broni
O
Inactive Unknown Rootkit infection Explorer modified
2
Replies
29
Views
8K
Broni
Broni

Latest posts

Back