Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe virus? fake system recovery removed and start menu not working


  • This topic is locked This topic is locked
3 replies to this topic

#1 StackTom

StackTom

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 26 October 2011 - 07:07 PM

Hi,

I just want to let you know that I did search and tried everything I could. But now I need professional assistance and reviewing my available logs.

Edit: Did I post this in the wrong section? Sorry for any inconvenience this may have caused. I was going to repost, but I can't find the delete button on this forum.

This computer is Windows XP Home ver 2002 with Windows SP3

One day, all of a sudden the screen went black, everything became hidden.


Phase1
I booted to save mode with networking. IE is the only icon visible on the desktop.
I could not open application, so I pressed cntrl+alt+del to get to Task Manager. I noticed an iexplore.exe running under the processes tab. I closed this process, and I could now run applications.
I ran rkill and malwarebytes then restarted to normal and everything was still black and hidden.
I then went to control panel through start button to unhide the files manually.
When I clicked on the CP icon a box appeared "hkey_local_machine software bvrp software inc. modem on hold" in the title, and in the field it said "Key is missing!!!" But after I closed the box, it took me to the CP and I manually unhide the files.
However, that did not work for the desktop, but I would see the files shaded in My Documents.
------------

Phase2
I booted back to safe mode with networking.
I closed iexplore.exe
I re-ran rkill and malwarebytes.
I then ran UnHide.
Note: I had to run Unhide twice, as it got messed up the first time when the allegedly fake iexplore.exe reopened.
When the iexplore.exe opens, there is a quick application pop-up box that says Windows Installer as the title and in the body says, "Preparing to install...". It only lasts for a 1/4 second or less.
The iexplore.exe then appears under the processes tab. The Mem Usage starts at 22,000K then rises to 226,000K and 00 CPU usage.

Unhide then finished and I rebooted to normal.
Desktop was still black.
---

Phase 3
I booted back to safe mode with networking.
I ran cmd and checked the directory for hidden virus. Don't see anything running. I've done this with and without the iexplore.exe process running
I then ran SUPER antispyware. I cleaned out a bunch more stuff.
I then ran SpyBot S&D which found some instamedia toolbar malware which was starting to pop up in processes for milliseconds at a time every few minutes.
It said it deleted it.
I finished this phase off by running CCleaner 2-3 times since each scan would find more stuff.
------

Phase 4
I booted back to normal and the desktop was still black. But things were worse this time. Now the start menu and taskbar does not function and has a hourglass when I hover over it.
I was angry at myself for making it worse.
Out of desperation I used Windows Task manager to find and run rkill in normal mode, and POOF, my desktop was BACK! amazing.
However the startmenu and taskbar still did not function.
I then ran malwarebytes from normal and it found nothing.
I also noticed the instamedia toolbar process was appear for a millisecond again every minute or so. I thought SbyBot S&D destroyed this. I was able to find the location of the process.
It was located in my program files in it's own folder of the same name. It was downloaded on 10/15/2011 somehow.
I deleted it manually.

I then went back to my desktop and notices an application in the middle of my now accessible desktop.
It was called System recovery and uses a default windows app icon.
I went to properties of this app. The real name of the app is:
1kalmig2kb7fzp.exe
A google search said this was bad. I deleted manually.

I restarted the comp to normal and my desktop is still there, but the startmenu and taskbar is still not functioning. Also the iexplore.exe is still automatically appearing. Also all my webbrowsers have disappeared. IE, Firefox, and Chrome icons at not on desktop.
-------------

Phase5
I booted back to safe mode with networking, where my start menu works fine.
I cannot run TDSSkiller. I did the renaming tricks to the .zip but the app wont open even after I disable iexplore.exe. No TDSSkiller process pops up at this time.
I then used hippo install checker. I updated IE, Firefrox, I also downloaded a Java update, however I am not allowed to run the Java update. It says I do not have permission, yet I am on the administrator.
I then re-ran SUPER Antispyware and CCleaner and the SUPER scan found a few more files to delete.
I booted to normal and the startmenu and taskbar still does not function and the webbrowser icons are still disappeared from desktop. iexplore.exe still executes.
--------

Phase 6
So I booted back to safemode with networking and decided to give combofix a try. why not...it's worked for me before.
Also ran combofix by dropping a .txt file on the icon with the contents ClearJavaCache::
Combofix ran fine.
I then uninstalled Combofix.
I ran TFCleaner and CCleaner to clean up any mess.

After this, the iexplore.exe still executes.
I booted to normal and the startmenu and taskbar is not functioning and the iexplore.exe still processes.

-------------------------

I am now back in safemode with networking.

I have a HiJackThis log ready to post. However the combofix logs are nowhere to be found, along with any other logs created.
Only the HiJackThis logs and my CCleaner backup files are successfully saving to the safemode desktop.

I have not created an OTM log unless you want me too.

I can run combofix again and screenshot the logs with my cellphone if needed.

Please help

Thanks,

Tom

sorry for the long post

Edited by Budapest, 26 October 2011 - 07:23 PM.
Moved from XP ~Budapest


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:47 PM

Posted 26 October 2011 - 07:24 PM

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 StackTom

StackTom
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 26 October 2011 - 07:33 PM

Thank You, I will prepare my post.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:47 AM

Posted 26 October 2011 - 11:32 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic425190.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users