Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple copies of iexplore.exe, twain/twunk?


  • This topic is locked This topic is locked
1 reply to this topic

#1 sche0483

sche0483

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 04 August 2010 - 01:06 PM

So, I've got a whole bunch of problems. I have something creating multiple copies of iexplore.exe in my task manager. These appear to be hidden tabs that are automatically "fixed" everytime that I close them mannually in TM. These tabs are slowing my system down to the point of freezing it up. Also my system seems to have a problem runing some applications. itunes and windows media player seem to last about 10 mins before locking up the computer.

I've been doing a little research in my windows folder and found a couple suspicious files. twain32.dll, twain.dll, twunk_32.exe, and twunk_64.exe. all four of these files are being regenerated everytime I try to delete them. (As you can see in the attach file.) I have Norton with all the available updates and it doesn't seem to be able to find anything.

I haven't been able to get the GMER to run to completion without the computer siezing up so I am not yet able to attach that file. Any thoughts? I also was planning on trying to download malwarebytes and run that software while I wait for someone's input.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Adam Scheidegger at 9:45:38.04 on Thu 07/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.854 [GMT -6:00]

AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam Scheidegger\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1280759762515

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-8-2 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-8-2 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100709.001\BHDrvx86.sys [2010-7-9 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-8-2 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-8-2 116784]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-8-2 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-2 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100802.001\IDSXpx86.sys [2010-8-2 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100802.021\NAVENG.SYS [2010-8-2 85424]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100802.021\NAVEX15.SYS [2010-8-2 1362608]

=============== Created Last 30 ================

2010-08-03 04:45:18 0 d-----w- c:\docume~1\adamsc~1\applic~1\Uniblue
2010-08-03 04:45:06 0 d-----w- c:\program files\Uniblue
2010-08-03 04:38:25 0 d-----w- c:\windows\pss
2010-08-02 22:49:17 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2010-08-02 21:04:51 0 d-----w- c:\program files\iPod
2010-08-02 21:04:46 0 d-----w- c:\program files\iTunes
2010-08-02 21:04:46 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-02 21:03:01 0 d-----w- c:\program files\Bonjour
2010-08-02 18:35:32 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-02 18:35:32 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-08-02 18:35:27 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-08-02 18:35:27 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-08-02 18:35:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-08-02 18:35:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-08-02 18:34:59 0 d-----w- c:\windows\system32\drivers\N360
2010-08-02 18:34:56 0 d-----w- c:\program files\Norton Security Suite
2010-08-02 18:34:38 0 d-----w- c:\program files\NortonInstaller
2010-08-02 18:26:49 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-08-02 18:25:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-08-02 18:16:00 0 d-sh--w- c:\documents and settings\adam scheidegger\IECompatCache
2010-08-02 18:14:36 0 d-sh--w- c:\documents and settings\adam scheidegger\PrivacIE
2010-08-02 18:12:20 0 d-sh--w- c:\documents and settings\adam scheidegger\IETldCache
2010-08-02 18:08:59 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-08-02 18:08:52 0 d-----w- c:\program files\NVIDIA Corporation
2010-08-02 18:07:42 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-02 18:07:42 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-02 18:07:42 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-02 18:07:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-02 18:07:42 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-08-02 18:07:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-08-02 18:07:42 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-08-02 18:07:38 0 d-----w- c:\windows\ie8updates
2010-08-02 18:07:36 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-08-02 18:06:38 0 dc-h--w- c:\windows\ie8
2010-08-02 17:43:29 0 d-----w- c:\windows\system32\scripting
2010-08-02 17:43:28 0 d-----w- c:\windows\system32\en
2010-08-02 17:43:28 0 d-----w- c:\windows\l2schemas
2010-08-02 17:40:16 0 d-----w- c:\windows\network diagnostic
2010-08-02 16:49:10 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-02 16:46:15 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-08-02 16:46:10 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-08-02 16:45:55 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-08-02 16:45:00 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-08-02 16:45:00 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-08-02 16:44:52 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-08-02 16:42:51 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-08-02 16:41:38 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-08-02 16:39:58 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-08-02 16:39:58 1206508 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-08-02 16:39:57 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-08-02 16:31:02 191488 ----a-w- c:\windows\system32\iuengine.dll
2010-08-02 16:29:18 0 d-----w- c:\docume~1\adamsc~1\applic~1\Symantec
2010-08-02 16:20:22 60 ----a-w- c:\windows\system32\SYSDRV.DAT
2010-08-02 16:17:38 0 d-----r- c:\windows\Offline Web Pages
2010-08-02 16:12:59 94208 ----a-w- c:\windows\system32\timedate.cpl
2010-08-02 16:11:59 99840 -c--a-w- c:\windows\system32\dllcache\mprmsg.dll
2010-08-02 16:10:59 8704 -c--a-w- c:\windows\system32\dllcache\eventvwr.exe
2010-08-02 16:09:24 0 d-----r- C:\Program Files
2010-08-02 16:09:21 0 d-----r- c:\documents and settings\all users\Documents
2010-08-02 16:08:55 0 d-----w- c:\windows\CACHE
2010-08-02 16:07:57 86061 ----a-w- c:\windows\system32\mmcshext.klw
2010-08-02 16:07:42 4653 ----a-w- c:\windows\system32\runonce.jct
2010-08-02 16:07:40 225325 ----a-w- c:\windows\system32\reset.qrq
2010-08-02 16:07:36 40518 ----a-w- c:\windows\system32\profmap.kvo
2010-08-02 16:07:21 102445 ----a-w- c:\windows\system32\ctfmon.exa
2010-08-02 16:07:12 102444 ----a-w- c:\windows\system32\cfgbkend.bkx
2010-08-02 15:49:04 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-08-02 15:49:02 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-08-02 15:48:13 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-08-02 15:48:10 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-08-02 15:42:42 0 d-----w- c:\windows\system32\wbem\AutoRecover
2010-08-02 15:28:41 0 d-----w- c:\windows\provisioning
2010-08-02 15:28:41 0 d-----w- c:\windows\peernet
2010-08-02 15:27:54 0 d-----w- c:\windows\ServicePackFiles
2010-08-02 15:26:34 0 d-----w- c:\windows\system32\ReinstallBackups
2010-08-02 15:25:17 0 d-----w- c:\windows\EHome
2010-08-02 15:22:54 7208 ------w- c:\windows\system32\secupd.sig
2010-08-02 15:22:54 67866 ------w- c:\windows\system32\drivers\netwlan5.img
2010-08-02 15:22:54 4569 ------w- c:\windows\system32\secupd.dat
2010-08-02 15:22:54 11264 ------w- c:\windows\system32\spnpinst.exe
2010-08-02 14:38:29 0 d-----w- c:\windows\system32\PreInstall
2010-08-02 14:38:28 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-08-02 14:38:27 0 d--h--w- c:\windows\$hf_mig$
2010-08-02 14:38:01 0 d-----w- c:\windows\system32\bits
2010-08-02 14:37:38 8192 ------w- c:\windows\system32\bitsprx2.dll
2010-08-02 14:37:38 7168 ------w- c:\windows\system32\bitsprx3.dll
2010-08-02 14:37:38 354816 -c--a-w- c:\windows\system32\dllcache\winhttp.dll
2010-08-02 14:37:38 354816 ----a-w- c:\windows\system32\winhttp.dll
2010-08-02 14:37:38 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2010-08-02 14:36:48 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-08-02 14:36:48 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2010-08-02 14:36:48 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2010-08-02 14:36:48 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2010-08-02 14:36:47 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-08-02 14:35:56 0 d-sh--w- c:\documents and settings\adam scheidegger\UserData
2010-08-02 14:33:48 0 d-----w- C:\WUTemp

==================== Find3M ====================

2010-05-18 22:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 22:35:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 22:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 22:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-04 04:55:32 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-04 04:55:32 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 04:55:32 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 04:55:32 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 04:55:32 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 04:55:32 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 04:55:32 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 04:55:32 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 04:55:32 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 04:55:32 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 04:55:32 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 01:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-04 01:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-04 01:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-04 01:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-04 01:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll

============= FINISH: 9:46:22.81 ===============

I think I have figured this problem out. After looking at more forums than I want to admit, I figured out that I had something burried in the MBR of both of my hard disks called whistler/black internet that was causing all the trouble. Malwarebytes and several other programs (stupid Norton...) were unable to fix the problem in the boot sector of my hard disks. The good people at MicroCenter (www.microcenter.com) directed me to a russian utility called Dr. Web (www.drweb.com) that was able to fix the problem.

Mods, please close this thread preferably after letting me know if there is anything I need to do to turn off (?) the defogger.exe utility that I used to prepare my computer for your diagnostics.

Thanks for keeping these forums going. I didn't get any direct help from your personel, but the information on these boards was very helpful in finding and reparing my problem.

Posts merged ~BP

Attached Files


Edited by Budapest, 09 August 2010 - 04:29 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:45 AM

Posted 13 August 2010 - 06:51 AM

Hello sche0483

Welcome to BleepingComputer smile.gif
==========================
Glad you were able to get it sorted out.
You can just delete the defogger it only disables some services to let gmer run.
If it disabled anything then rerun defogger and re-enable the services disabled then you can delete it.

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users