Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden iexplore.exe plays radio/commercials


  • Please log in to reply
3 replies to this topic

#1 Trakeen

Trakeen

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tyler, TX
  • Local time:07:35 AM

Posted 25 August 2009 - 01:32 PM

This is probably the 5th computer in as many weeks that I've had this problem.

Customer comes in infected with Personal Anti-Virus, whee... Get rid of that with the following: Move %root%\program files\PersonalAV to the desktop, erase folder, quick scan with Malwarebyte's, scan with AVG, followed by a full scan with Malwarebytes. Once everything is cleared I restart the computer and run one more quick scan with malwarebytes. Usually the scan comes up clean, as it has done on this computer.

Now here's the kicker. After both AVG and Malwarebyte's report a clean system I will suddenly start hearing commercials, or sometimes streaming video/radio from some random site. Opening Task Manager reveals a hidden iexplore.exe running. Once it's closed the streaming stops, but the system will sometimes start a new iexplore and stream again. Today I'm hearing playboy mansion and all kinds of other commercials playing.

If you close the program through Task Manager and try to run Internet Explorer you'll get the message asking if you'd like to reopen the recovered site IE was visiting when you closed it out. If I tell it to recover instead of going to the home page 4 new windows will open, but then IE locks up so I never get to see the URL.

At the moment I can't get Malwarebytes to work unless I change the filename from mbam.exe to some random name like M.exe.

If you need anymore input please let me know. I'm currently running a scan with ESET Online scan, and I can hear IE clicking on links in the background. Let the streaming begin again....

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:35 AM

Posted 25 August 2009 - 01:40 PM

Hello Trakeen.

We need to do a rootkit scan.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE, HERE, or HERE and download RootRepeal.zip to your Desktop.
Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Trakeen

Trakeen
  • Topic Starter

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tyler, TX
  • Local time:07:35 AM

Posted 26 August 2009 - 03:31 PM

Thanks for the fast response, but while attempting to remove viruses the machine completely locked up. I've decided the best thing will be to just reload the machine. I hate doing that, but it seems like my only option. Even in safe mode the machine locks up 5 - 10 minutes into doing anything. Mouse works, but nothing you click on responds and it's very aggrivating, so to relieve my stress I'll simply do a reload.

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:35 AM

Posted 27 August 2009 - 05:50 AM

Hello,

In this situation I would say that's probably a wise decision. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action to take.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best procedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of information on this are
Reformatting Windows XP
Reinstall Windows Vista
Michael Stevens Tech

***************************************************

2 guidelines when backing up:

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do NOT backup any applications/installers and Do NOT backup any files with the following extensions
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users