Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many instances of iexplorer.exe, MalwareBytes freezes right b4 quarantine, The Works...


  • Please log in to reply
4 replies to this topic

#1 bgcdev

bgcdev

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 17 February 2010 - 12:31 PM

Hello,

I am in desperate need of a rescue! My computer is not running slow or freezing (yet). It actually runs pretty well. However, I know there is a rogue virus present...if not two or three. This laptop once belonged to my girlfriend, who got it from her uncle, so I can't tell which files to keep and which to delete!!!!

First of all, I notice three or more instances of iexplorer.exe in taskmanager and process explorer, even when I am not connected to the internet. I have tried just about every logical solution posted on forums like bleepingcomputer.com, but still no luck. I tried deleting iexplorer.exe from the c:/program files/internet explore directory but the .exe just keeps coming back! I even tried to be smart and uncheck the load startup processes box in msconfig, restart, and then search for any iexplorer.exe in the wrong directory to delete them, close but no cigar. It just will not go away.

Secondly, I have been trying to use Malwarebytes (using a renamed mbam.exe from a prior virus problem), Spybot Search & Destroy, Auslogics Registry Cleaner, and even the newest AdAware to get rid of the virus. Malwarebytes will scan all the way through, and then it stops responding right b4 the completion, leaving me unable to click to see the report and fix the problems. However, if I abort the scan early Malwarebytes is able to show the report and fix the problems found, but there is still more to fix. The other antivirus programs will complete, but the scans are soooo much slower than they used to be and they dont even find the problem.

I have a wireless internet connection to IE8. For the most part, I can open and browse the web. But other times it is such a hassle just to open a window. I have tried enabling and disabling active x controls, adjusting internet options, but the results are the same. I am finally breaking down and begging for help! I am a designer/ beginner web developer...I have deadlines to meet and I am growing tired of this. Your help is greatly appreciated in advance.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:51 PM

Posted 17 February 2010 - 12:46 PM

If mbams hangs mid way thru scan

Please add the following files to the exclusions list in your anti-virus:

C:\WINDOWS\system32\drivers\mbam.sys
C:\WINDOWS\system32\drivers\mbamswissarmy.sys
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe


Also try...


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------


SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 bgcdev

bgcdev
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 17 February 2010 - 01:11 PM

Ok. I am currently running Malwarebytes again to see if it will complete the scanning process. Once that is done I will perform scans with ATF and SAS and get back to you with the results...thanks for the quick reply

#4 bgcdev

bgcdev
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:51 PM

Posted 18 February 2010 - 12:09 AM

Thanks! I think that may have solved the problem. After I used the ATF-Cleaner I started seeing taskbar icons that I had not seen in a while... Sorry it took so long to reply. The cable guy closed SUPERAntiSpyware while installing my internet...right when it was scanning the last few files! I had to run out and start over once I got back.

Here is the SUPERAntiSpyware log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/17/2010 at 11:04 PM

Application Version : 4.33.1000

Core Rules Database Version : 4596
Trace Rules Database Version: 2408

Scan type : Complete Scan
Total Scan Time : 02:48:19

Memory items scanned : 562
Memory threats detected : 0
Registry items scanned : 6857
Registry threats detected : 22
File items scanned : 173459
File threats detected : 33

Trojan.Agent/Gen-Ertfor
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A5BF49A2-94F1-42BD-F434-3604812C807D}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A5BF49A2-94F1-42BD-F434-3604812C807D}

Trojan.RootKit/Gen
HKLM\System\ControlSet019\Services\mzhxsjslzeyqj
C:\WINDOWS\SYSTEM32\DRIVERS\YRAJMCS.SYS
HKLM\System\ControlSet019\Enum\Root\LEGACY_mzhxsjslzeyqj

Trojan.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\legacy_msupdate\0000#DeviceDesc
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\warning.html
C:\WINDOWS\system32\lowsec

Trojan.Agent/Gen-SSHNAS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@247realmedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[3].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.addynamix[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.addynamix[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pointroll[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adserver.adtechus[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickpayz3.91462.asklots[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickpayz3.91462.blueseek[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickpayz9.91462.blueseek[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@clickthrough.kanoodle[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@collective-media[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@collective-media[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@content.yieldmanager[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@content.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@d.mediaforceads[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@dc.tremormedia[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@imrworldwide[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@invitemedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@oasn04.247realmedia[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@pointroll[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@realmedia[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@trafficmp[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@viacom.adbureau[2].txt

Trojan.Agent/Gen-FraudDrop
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0C4PL2MJ\UPDATE[1].EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0C4PL2MJ\UPDATE[2].EXE

Trojan.Agent/Gen-SDRA
C:\WINDOWS\SYSTEM32\SDRA64.EXE

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:51 PM

Posted 18 February 2010 - 07:28 PM

It looks like you have a couple of nasties
Trojan.Agent/Gen-FraudDrop
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0C4PL2MJ\UPDATE[1].EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0C4PL2MJ\UPDATE[2].EXE
Trojan.Agent/Gen-SDRA
C:\WINDOWS\SYSTEM32\SDRA64.EXE

plus a rootkit
HKLM\System\ControlSet019\Enum\Root\LEGACY_mzhxsjslzeyqj


:trumpet:
Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
==========================

:flowers:

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
====================================

:thumbsup:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users