Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe virus?


  • This topic is locked This topic is locked
19 replies to this topic

#1 ut_oh

ut_oh

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 06 February 2010 - 10:40 PM

I have noticed within the past 2-4 weeks that my computer has slowed down considerably. In particular when I am reading email on Internet Explorer v8.0 - I use Google's gmail website. I can select an action such as compose a new message and it can take 30 seconds for a new window to display. When I start to type in my message the computer is slow to respond.

I've done a bit of research online and found people with similar symptoms and they have attributed it to iexplore.exe virus. I've run Norton and Avast, AdAware, Spybot and Malwarebytes to no avail. None of the programs find a virus. Through my research I have also found that people have had success posting log files to forums such as this. So here I am and here are my log files - attach.txt and dds.txt.

I tried to run gmer.exe but in the middle of running it my computer automatically rebooted. Thinking it was just a fluke and my computer had just overheated I tried to run it again and now can't run it at all. Hopefully the attach.txt and dds.txt files will be a sufficient start to resolve this issue.

dds.txt log file below

DDS (Ver_09-12-01.01) - NTFSx86
Run by barb at 18:21:54.56 on Sat 02/06/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.650 [GMT -8:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton 360 *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\WindowsMobile\wmdcBase.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\barb\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local;localhost
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Ncr3]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Mobile-based device management] %WINDIR%\WindowsMobile\wmdcBase.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://192.168.0.253/JpegInst.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\barb\appdata\roaming\mozilla\firefox\profiles\srmadnnv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-2 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-5 163280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20100128.002\IDSvix86.sys [2010-1-30 286768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-5 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-2-5 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-7-7 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-2 21504]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-6-10 1245064]

=============== Created Last 30 ================

2010-02-07 02:19:42 0 ----a-w- c:\users\barb\defogger_reenable
2010-02-07 01:40:17 0 d-----w- c:\program files\TrendMicro
2010-02-06 05:14:29 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-02-06 05:11:57 0 d-----w- c:\programdata\Alwil Software
2010-02-03 07:03:17 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-03 05:14:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-03 05:09:42 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-03 05:08:12 0 d-----w- c:\programdata\Lavasoft
2010-02-03 05:08:12 0 d-----w- c:\program files\Lavasoft
2010-02-03 04:35:53 0 d-----w- c:\users\barb\appdata\roaming\Malwarebytes
2010-02-03 04:35:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 04:35:47 0 d-----w- c:\programdata\Malwarebytes
2010-02-03 04:35:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 04:35:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 04:14:19 0 d-----w- c:\windows\pss
2010-01-30 23:32:05 873310 ----a-w- c:\windows\system32\oem66.inf
2010-01-17 22:22:05 0 d-----w- c:\program files\common files\xing shared
2010-01-13 02:45:53 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 02:45:53 156672 ----a-w- c:\windows\system32\t2embed.dll

==================== Find3M ====================

2010-02-06 21:18:45 41952 ----a-w- c:\programdata\nvModes.dat
2010-02-05 06:59:45 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-05 06:59:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-05 06:59:45 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-26 11:26:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-24 05:00:15 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2008-06-16 01:23:45 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-14 07:00:50 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009071420090715\index.dat

============= FINISH: 18:25:31.72 ===============



Thanks for any and all help.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:24 PM

Posted 13 February 2010 - 08:28 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Let's run a rootkit scan

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 ut_oh

ut_oh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 13 February 2010 - 08:45 PM

Mole,
Thanks for responding to my post. I am currently on travel and don't have that computer with me. I will be returning on Monday so can try your suggestion then. I will say that I did try installing and running gmer and had trouble running it. I did not try it in safe mode so thatb might be the trick.

Thanks again and I will repost next week, hopefully Monday 2/15.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:24 PM

Posted 13 February 2010 - 09:06 PM

Okay, no problem thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 ut_oh

ut_oh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 February 2010 - 11:25 PM

Ok I was finally able to run gmer.exe and save out the results (after several random reboots and a couple of blue screens). I've attached the log to this post.

I have abandoned using IE until this is resolved so have downloaded Firefox and Google's Chrome.

Attached Files

  • Attached File  ark.txt   359bytes   6 downloads


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:24 PM

Posted 17 February 2010 - 07:39 AM

Gmer is running strangely and its output looks too short. Can you attempt to run a similar program and see how that goes.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open on your desktop.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#7 ut_oh

ut_oh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 17 February 2010 - 10:51 PM

m0le-
I am not too confident in the results of RootRepeal. You indicated it would take some time to run but it didn't take anywhere near as long as gmer.exe did. I did not have to run this in Safe Mode as I did with gmer.exe.

Also, I wanted to point out when I ran gmer.exe I selected the options suggested in the forum topic on fixing malware/virus issues (uncheck sections, IAT/EAT, show all) not sure if this could account for the odd behavior you are seeing.

I've attached the output from RootRepeal to this post.

Thanks for your time and effort.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:24 PM

Posted 18 February 2010 - 06:52 AM

Okay, that could explain Gmer's log. RootRepeal does seem to be saying that there is no rootkit on board so this may be a wild goose chase.

I know you have run a number of scans which indicate nothing and I also know that the symptoms being described may also be system issues rather than malware ones. I would like to see what the following tool finds.


First a straight scan using Superantispyware

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Next a deeper rootkit scan with The Avenger
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that both the box next to Scan for rootkits and the box next to Automatically disable any rootkits found both have ticks in them.
  • Click the Execute button.
  • You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If The Avenger finds a hidden rootkit driver, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

This should really let us know whether it's malware or system problems. smile.gif
Posted Image
m0le is a proud member of UNITE

#9 ut_oh

ut_oh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 19 February 2010 - 12:57 AM

Ok, that took awhile. I hope I am doing this right - I've been disabling Avast and Norton with each step you have asked that I take. I'm assuming that is what you wanted so hopefully all is well with these results.

Here's the output from SuperAntiSpyware. I've attached the log file from Avenger to this post as well. Thanks!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2010 at 09:30 PM

Application Version : 4.34.1000

Core Rules Database Version : 4601
Trace Rules Database Version: 2413

Scan type : Complete Scan
Total Scan Time : 02:24:12

Memory items scanned : 804
Memory threats detected : 0
Registry items scanned : 8904
Registry threats detected : 0
File items scanned : 178574
File threats detected : 181

Adware.Tracking Cookie
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\barb@content.yieldmanager[3].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\barb@content.yieldmanager[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\barb@ad.yieldmanager[1].txt
C:\Users\Administrator.Tabitha\AppData\Roaming\Microsoft\Windows\Cookies\administrator@at.atwola[1].txt
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.cnn.122.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.msnaccountservices.112.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.doubleclick.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.cratebarrel.112.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.bravenet.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.bravenet.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
data.coremetrics.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.atdmt.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.hitbox.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.hitbox.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.ehg-inforspaceinc.hitbox.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
sales.liveperson.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
sales.liveperson.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
sales.liveperson.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.tribalfusion.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.tribalfusion.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
www.googleadservices.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.overture.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.perf.overture.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
my.traffic.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
www.googleadservices.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.ehg-newegg.hitbox.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.nir.regaccount.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.nir.regaccount.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.ehg-seagate.hitbox.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.ehg-seagate.hitbox.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.e-2dj6wjnywnd5afo.stats.esomniture.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.e-2dj6wjmiuoc5mko.stats.esomniture.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
www.googleadservices.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.giftscom.122.2o7.net [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
www.googleadservices.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.casalemedia.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.casalemedia.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
.casalemedia.com [ C:\Users\barb\AppData\Local\Mozilla\Profiles_bak\default\x6hyrjhr.slt\cookies.txt ]
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@a.tribalfusion[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@a1.interclick[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@ad.yieldmanager[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@ads.bleepingcomputer[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@ads.bleepingcomputer[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@ads.gmodules[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@ads.neudesicmediagroup[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@ads.undertone[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@at.atwola[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@chitika[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@collective-media[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@content.yieldmanager[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@content.yieldmanager[3].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@dmtracker[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@interclick[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@kontera[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@media6degrees[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@revsci[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@server.iad.liveperson[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@server.iad.liveperson[3].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@smartadserver[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@tacoda[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@tribalfusion[1].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@tribalfusion[2].txt
C:\Users\barb\AppData\Roaming\Microsoft\Windows\Cookies\Low\barb@xiti[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@2o7[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@a1.interclick[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ad.yieldmanager[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@adinterax[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads.admanage[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads.clicksor[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads.cnn[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads.ireport[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads.lucidmedia[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads.mediamayhemcorp[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads.pointroll[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ads1.hancockwildlife[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@adserv.brandaffinity[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@adserver.adtechus[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@adserver.sdreader[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@advertising.sheknows[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@advertising[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@allpotracks[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@apmebf[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@atdmt[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@bizrate[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@cf-db01.clickfacts[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@chitika[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@collective-media[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@countrywide[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@dc.tremormedia[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@doubleclick[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wal4kpcjebo.stats.esomniture[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wfloqmaziao.stats.esomniture[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wgliopdjoao.stats.esomniture[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wjk4kkdzmlp.stats.esomniture[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wjkyslcjgbq.stats.esomniture[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wjl4alajgap.stats.esomniture[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wjl4whdzodq.stats.esomniture[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@e-2dj6wjlowlcjshp.stats.esomniture[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ecnext.advertserve[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ehg-verizon.hitbox[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@ep.fastfind[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@euroclick[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@eyewonder[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@fastclick[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@findadoc[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@findarticles[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@hitbox[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@homeclick[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@imediablast[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@imrworldwide[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@interclick[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@loans.countrywide[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@media6degrees[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@neocounter.neoworx-blog-tools[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@northcountyluxuryhomes[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@oddcast[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@partner2profit[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@realmedia[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@revsci[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@richmedia.yahoo[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@roiservice[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@sales.liveperson[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@sales.liveperson[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@server.iad.liveperson[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@server.iad.liveperson[3].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@server.iad.liveperson[5].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@specificclick[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@specificmedia[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@stats.paypal[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@statsadv.dada[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@track.bestbuy[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@traffic[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@tribalfusion[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@vhost.oddcast[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@webpower[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@wholesalediscountsunglasses[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.3dstats[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[10].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[11].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[3].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[4].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[5].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[6].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[7].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[8].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.googleadservices[9].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.homeclick[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.mlsfinder[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.mlsfinder[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.sandiegocountyinfo[2].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.sdpropertyfinder[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.traffic[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www.wholesalediscountsunglasses[1].txt
C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Cookies\Low\kathy@www3.addfreestats[1].txt
.ehg-ltdcommodities.hitbox.com [ C:\Users\Kathy\AppData\Roaming\Mozilla\Profiles\default\mjpq6nar.slt\cookies.txt ]
.perf.overture.com [ C:\Users\Kathy\AppData\Roaming\Mozilla\Profiles\default\mjpq6nar.slt\cookies.txt ]
.atdmt.com [ C:\Users\Kathy\AppData\Roaming\Mozilla\Profiles\default\mjpq6nar.slt\cookies.txt ]
.imrworldwide.com [ C:\Users\Kathy\AppData\Roaming\Mozilla\Profiles\default\mjpq6nar.slt\cookies.txt ]
.imrworldwide.com [ C:\Users\Kathy\AppData\Roaming\Mozilla\Profiles\default\mjpq6nar.slt\cookies.txt ]
.doubleclick.net [ C:\Users\Kathy\AppData\Roaming\Mozilla\Profiles\default\mjpq6nar.slt\cookies.txt ]

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:24 PM

Posted 19 February 2010 - 04:37 AM

No rootkits, and only cookies on SAS.


Please run the following program so we can see if any extra iexplore.exe processes are running.

Please download and run Process Explorer

If Process explorer won't execute rename it Iexplore.exe

Under File and Save As, create a log and post here

Copy and paste the log into your next reply
Posted Image
m0le is a proud member of UNITE

#11 ut_oh

ut_oh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 19 February 2010 - 09:57 PM

I ran Process Explorer twice. Once without IE open and a second time with IE open so you can see what I observe in task manager - two instances of IE even though I only opened one. I've attached the log created when IE was open to this post. What follows below is the log created when IE was NOT open.
Process PID CPU Description Company Name
System Idle Process 0 80.00
Interrupts n/a 1.54 Hardware Interrupts
DPCs n/a 0.77 Deferred Procedure Calls
System 4 0.77
smss.exe 440
csrss.exe 580
wininit.exe 632
services.exe 676
svchost.exe 876
ehmsas.exe 2488 Media Center Media Status Aggregator Service Microsoft Corporation
nvvsvc.exe 944
rundll32.exe 1392
svchost.exe 972
svchost.exe 1008 0.77
audiodg.exe 1236
svchost.exe 1108 0.77
wlanext.exe 1636
dwm.exe 3368 0.77 Desktop Window Manager Microsoft Corporation
svchost.exe 1128
taskeng.exe 1092
taskeng.exe 3596 Task Scheduler Engine Microsoft Corporation
wuauclt.exe 4212 Windows Update Microsoft Corporation
svchost.exe 1264
SLsvc.exe 1280
svchost.exe 1336
svchost.exe 1524
AvastSvc.exe 1628
spoolsv.exe 2040
CCSVCHST.EXE 204 5.38
svchost.exe 432
AppleMobileDeviceService.exe 2316
mDNSResponder.exe 2344
svchost.exe 3148
LSSrvc.exe 3396
svchost.exe 3452
svchost.exe 3544
svchost.exe 3564
svchost.exe 3604
svchost.exe 3948
XAudio.exe 1332
hpqwmiex.exe 1212
SDWinSec.exe 1044 0.77
symlcsvc.exe 1308
AluSchedulerSvc.exe 2292
AUPDATE.EXE 5852
svchost.exe 3140
iPodService.exe 4292
LuComServer_3_4.EXE 5276
LuCallbackProxy.exe 4692 6.15
lsass.exe 692
lsm.exe 704
csrss.exe 644 0.77
winlogon.exe 772
explorer.exe 3384 Windows Explorer Microsoft Corporation
wmdcBase.exe 852 Windows Mobile Device Center Microsoft Corporation
AvastUI.exe 1068 avast! Antivirus ALWIL Software
ctfmon.exe 4304 CTF Loader Microsoft Corporation
hpwuSchd2.exe 2516 Hewlett-Packard Product Assistant Hewlett-Packard Co.
J2GDllCmd.exe 2884 eFax Messenger - DLL Command Utility j2 Global Communications, Inc.
iTunesHelper.exe 2672 iTunesHelper Apple Inc.
ehtray.exe 3612 Media Center Tray Applet Microsoft Corporation
procexp.exe 4752 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
CCSVCHST.EXE 3240 Symantec Service Framework Symantec Corporation
JuniperSetupClient.exe 5604 Juniper Setup Client Juniper Networks

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:24 PM

Posted 19 February 2010 - 10:12 PM

Okay, there's nothing wrong there.

IE8 runs each tab as a separate service, so if a tab crashes it does not crash the browser. There is also one extra for Ieframe.

The number of iexplore.exes in task manager should be the number of tabs open plus one which is what Process Explorer shows. The memory being used is not overly high so I am not suspecting malware here.

I think we can finish this topic up unless there are any other symptoms. smile.gif

Edited by m0le, 19 February 2010 - 10:15 PM.

Posted Image
m0le is a proud member of UNITE

#13 ut_oh

ut_oh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 19 February 2010 - 10:23 PM

The memory usage does grow considerably, especially when I goto read my gmail. It really slows down my computer - to the extent that there's significant pause in between keystrokes. Sorry, I thought that was what I had mentioned in my initial post. Is what I describe symptomatic of malware or virus?

Here's the log from Process Explorer when I run gmail in IE. See the CPU usage is at 50% - and I just noticed that I get "Not Responding" in the window I use for gmail and then the message goes away. I've seen it sometimes go to 90% and higher.

Process PID CPU Description Company Name
System Idle Process 0 43.85
Interrupts n/a 0.77 Hardware Interrupts
DPCs n/a 0.77 Deferred Procedure Calls
System 4
smss.exe 504
csrss.exe 580
wininit.exe 632
services.exe 676
svchost.exe 880
unsecapp.exe 3216
WmiPrvSE.exe 2960
ehmsas.exe 2424 Media Center Media Status Aggregator Service Microsoft Corporation
FlashUtil10c.exe 5880 Adobe Flash Player Helper 10.0 r32 Adobe Systems, Inc.
nvvsvc.exe 940
rundll32.exe 1400
svchost.exe 968
svchost.exe 1016
audiodg.exe 1228
svchost.exe 1092 0.77
wlanext.exe 1684
dwm.exe 2468 Desktop Window Manager Microsoft Corporation
svchost.exe 1104
taskeng.exe 2504
taskeng.exe 2544 Task Scheduler Engine Microsoft Corporation
wuauclt.exe 5380 Windows Update Microsoft Corporation
taskeng.exe 4596
svchost.exe 1252
SLsvc.exe 1280
svchost.exe 1320
svchost.exe 1548
AvastSvc.exe 1676
AAWService.exe 1700
AAWTray.exe 1448 Ad-Aware Tray Application Lavasoft
spoolsv.exe 2044
CCSVCHST.EXE 312
svchost.exe 1372
AppleMobileDeviceService.exe 2684
mDNSResponder.exe 2712
CLCapSvc.exe 2808
svchost.exe 3084
LSSrvc.exe 3228
svchost.exe 3316
svchost.exe 3428
svchost.exe 3440
svchost.exe 3460
svchost.exe 3732
XAudio.exe 3804
hpqwmiex.exe 3824
SDWinSec.exe 3976
AluSchedulerSvc.exe 2584
svchost.exe 2992
HPHC_Service.exe 4628
iPodService.exe 4664
lsass.exe 692
lsm.exe 704
csrss.exe 644
winlogon.exe 796
explorer.exe 2512 Windows Explorer Microsoft Corporation
wmdcBase.exe 648 Windows Mobile Device Center Microsoft Corporation
AvastUI.exe 4024 avast! Antivirus ALWIL Software
hpwuSchd2.exe 3904 Hewlett-Packard Product Assistant Hewlett-Packard Co.
J2GDllCmd.exe 1384 eFax Messenger - DLL Command Utility j2 Global Communications, Inc.
iTunesHelper.exe 3632 iTunesHelper Apple Inc.
ehtray.exe 2316 Media Center Tray Applet Microsoft Corporation
SUPERAntiSpyware.exe 672 SUPERAntiSpyware Application SUPERAntiSpyware.com
firefox.exe 3624 Firefox Mozilla Corporation
iexplore.exe 5716 Internet Explorer Microsoft Corporation
iexplore.exe 5340 50.00 Internet Explorer Microsoft Corporation
procexp.exe 4576 0.77 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
CCSVCHST.EXE 3888 3.85 Symantec Service Framework Symantec Corporation


Edited by ut_oh, 19 February 2010 - 10:33 PM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:24 PM

Posted 20 February 2010 - 05:41 AM

I recommend that you read this tutorial on the site when we have finished which explains what you can do to speed up your PC.

I don't see anything that says to me that you are infected but let's run a couple of other scans and see if anything emerges.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#15 ut_oh

ut_oh
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 21 February 2010 - 09:36 AM

ESET didn't find anything so I don't have a log for that. Malwarebytes didn't appear to find anything either but here's the contents of the log in case there's something else you look for. Thanks for all your help!

Malwarebytes' Anti-Malware 1.44
Database version: 3768
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

2/20/2010 7:54:49 PM
mbam-log-2010-02-20 (19-54-49).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 348025
Time elapsed: 1 hour(s), 47 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users