Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple iexplorer processes running, hidden files, empty start menu


  • This topic is locked This topic is locked
15 replies to this topic

#1 Troubled Virus

Troubled Virus

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 18 January 2012 - 04:52 AM

Dear Bleeping Computer Community,

I gave in.

After days of following instructions from past posts and problems, I've finally decided to throw in the towel and make an account to post my issue.

I have gotten closer to a solution thanks to your amazing forum and contributors, but no matter what the 'multiple iexplorer.exe processes' veers its ugly head.

Some quick info (point form):

-Got a major virus(es) probably from infected websites
-Virus HID all my files and folders (and made my start menu empty with dead shortcuts)
-It would run multiple iexplorer.exe processes and PLAY BACKGROUND MUSIC and ADS
-I used the unhide.exe utility. That worked great. Now files are unhidden
-I stupidly deleted my temps so I don't know if I will ever be able to have my Start Menu working
-I did some scans using malware bytes, emsisosft anti-malware, and SUPER anti-spyware
-detected a bunch of spyware, etc.

SO things are looking better... EXCEPT:

1) iexplorer.exe processes are STILL running in the background
2) once in a while my ESET firewall will get a massive flood of attempts to hijack or install things.
2) most of my programs in my start menu show up as empty (I understand i made a mistake removing the temps, this is really a last issue. The main one is just to have a clean system again!)

Please note that I run Windows XP Professional 64 bit so DDS and GMERlog do not work (DDS doesn't work with XP 64 bit, GMER doesn't work with any 64 bit).

Can i proivde information with another kind of log?

I really hope you guys can help!

Edited by hamluis, 18 January 2012 - 08:08 AM.
Moved from MRL to Am I Infected, no logs.


BC AdBot (Login to Remove)

 


#2 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 18 January 2012 - 02:24 PM

I have run scans with malware bytes, superanti and emsisoft. Just keep having Iexplorer.exe processes showing up!

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 AM

Posted 18 January 2012 - 02:51 PM

Please post the MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 18 January 2012 - 07:53 PM

Endlessly greatful for your help.

1) I have used Malware a few times and removed all of the malware (There were 20+ instances of RiskWare.Tool.CK I removed). My last report was last night:

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.18.01

Windows XP Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 6.0.3790.1830
Aleco :: ALEXDOTCOMPUTER [administrator]

Protection: Disabled

1/18/2012 02:12:41
mbam-log-2012-01-18 (02-12-41).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 572276
Time elapsed: 38 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Below are the files found from ESET Online Scan:


C:\Documents and Settings\Aleco\Desktop\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\Adobe.Flash.CS3.Keymaker.Only-ZWT\zwt.rar a variant of Win32/Keygen.AH application deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\Adobe.Flash.CS3.Keymaker.Only-ZWT\zwtafcs3.zip a variant of Win32/Keygen.AH application deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\Encore DVD 2.0 keygen.exe a variant of Win32/Keygen.AO application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\Desktop\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\FireWorks CS3 Keygen + Activation.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\Desktop\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\Photoshop CS3 Activation Keygen.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\Desktop\ALEX BACKUP\NTFS Partition @ 0\Root\Documents and Settings\alexdotcom\Local Settings\Temp\pkg_21f302fd0\resource.0004.pkg a variant of Win32/Adware.MarketScore.A application deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\Program Installers\MDL_1.1.0152.exe Win32/Adware.DiscoveryLive application deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\Program Installers\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\Adobe.Flash.CS3.Keymaker.Only-ZWT\zwt.rar a variant of Win32/Keygen.AH application deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\Program Installers\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\Adobe.Flash.CS3.Keymaker.Only-ZWT\zwtafcs3.zip a variant of Win32/Keygen.AH application deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\Program Installers\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\Encore DVD 2.0 keygen.exe a variant of Win32/Keygen.AO application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\Desktop\Program Installers\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\FireWorks CS3 Keygen + Activation.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\Desktop\Program Installers\Adobe CS3 COMPELTEall keygens and setups\KEYGENS\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\Photoshop CS3 Activation Keygen.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\Desktop\Program Installers\Adobe Illustrator CS2\Adobe[1].Illustrator.12.0.CS2.EN.TryOut-Patch_CiM.zip probably a variant of Win32/Agent.MLMKHNM trojan deleted - quarantined
C:\Documents and Settings\Aleco\Desktop\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\Adobe.Photoshop.CS5.Extended.v12.Keygen.Only.EMBRACE-Deantjah.rar a variant of Win32/HackTool.Patcher.P application deleted - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\Adobe.Flash.CS3.Keymaker.Only-ZWT\zwt.rar a variant of Win32/Keygen.AH application deleted - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\Adobe.Flash.CS3.Keymaker.Only-ZWT\zwtafcs3.zip a variant of Win32/Keygen.AH application deleted - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\Adobe.InDesign.CS4.v6.0.Multilingual.Incl.Keymaker.Internal-CORE\cr-adcs6.zip a variant of Win32/Keygen.BH application deleted - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\Encore DVD 2.0 keygen.exe a variant of Win32/Keygen.AO application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\FireWorks CS3 Keygen + Activation.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\ALL-OF-ADOBE-CS3.KEYGENS\Adobe CS3 KeYGeN'z Pack\Photoshop CS3 Activation Keygen.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\Documents and Settings\Aleco\My Documents\Downloads\Movavi.VideoSuite.6.1.4-MKDEV.TEAM\CRACK.MKDEV.TEAM.rar a variant of Win32/HackTool.Patcher.N application deleted - quarantined
C:\Program Files\Perfect Uninstaller\PU.exe a variant of Win32/PerfectUninstaller application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0013338.rbf a variant of Win32/HackTool.Patcher.N application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0013341.rbf a variant of Win32/HackTool.Patcher.N application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014556.exe Win32/PrcView application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014719.exe multiple threats deleted - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014720.exe a variant of Win32/Keygen.AO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014721.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014722.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014821.exe Win32/Adware.DiscoveryLive application deleted - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014822.exe a variant of Win32/Keygen.AO application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014823.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014824.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014825.exe Win32/PrcView application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014826.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP10\A0014828.exe a variant of Win32/PerfectUninstaller application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP9\A0010872.exe Win32/CMDOW.143 application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP9\A0013042.exe multiple threats deleted - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP9\A0013059.exe Win32/PrcView application cleaned by deleting - quarantined
C:\System Volume Information\_restore{1B0D12BB-0D97-4635-8C96-525912AC158B}\RP9\A0013062.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\WINDOWS\system32\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\WINDOWS.0\cmdow.exe Win32/CMDOW.143 application cleaned by deleting - quarantined


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 AM

Posted 18 January 2012 - 08:48 PM

OK, seems we found the source, the Keygens are importing malware onto your system.

IMPORTANT NOTE: The practice of using cracking tools, keygens, warez or any pirated software is not only considered illegal activity but it is a serious security risk.

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

trendmicro.com/vinfo

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

When you use these kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Before we can continue, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.

Using these types of programs or the websites you visited to get them is almost a guaranteed way to get yourself infected!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 18 January 2012 - 09:14 PM

Before we can continue, I need you to remove all cracks and keygens immediately to reduce the risk of infection/reinfection. If not, then we are just wasting time trying to clean your system. Further, other tools used during the disinfection process may detect crack and keygens so we need to ensure they have been removed.


No problem, bloopme.

I don't need that junk anyways. There are alot of stuff on this computer that could use some deleteing and cleaning.

I deleted everythign that the scan showed and the folders as well.

Do you need a scan log?

Thanks for your insight and help so far!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 AM

Posted 18 January 2012 - 09:45 PM

EDIT: you really should also update to at least IE 7.. Internet Explorer 6.0. has many security flaws that were addressed in 7

No, I do not want to lecture, I/we just need it off as it will continue ti allow infection.. *Thats the price of the free ride*
Too many times they drop infostealers and then steal a persons ID.

How are the original issues now?
We will clean all these last. C:\System Volume Information

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Edited by boopme, 18 January 2012 - 09:49 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 18 January 2012 - 10:39 PM

The multiple iexplorer.exe files run by SYSTEM in the background still exist but I haven't restarted yet. I will restart after posting this log:




MiniToolBox by Farbar Version: 18-01-2012
Ran by Aleco (administrator) on 18-01-2012 at 23:09:38
Microsoft® Windows® XP Professional x64 Edition Service Pack 2 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Belkin Wireless G USB Network Adapter = Wireless Network Connection 12 (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : AlecoPUTER

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : phub.net.cable.rogers.com



Ethernet adapter Wireless Network Connection 12:



Connection-specific DNS Suffix . : phub.net.cable.rogers.com

Description . . . . . . . . . . . : Belkin Wireless G USB Network Adapter #13

Physical Address. . . . . . . . . : 00-22-75-75-BA-21

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.117

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 64.71.255.198

192.168.1.1

Lease Obtained. . . . . . . . . . : Wednesday, January 18, 2012 14:32:36

Lease Expires . . . . . . . . . . : Thursday, January 19, 2012 14:32:36

Server: dns.rnc.net.cable.rogers.com
Address: 64.71.255.198

Name: google.com
Addresses: 74.125.115.99, 74.125.115.106, 74.125.115.147, 74.125.115.104
74.125.115.105, 74.125.115.103



Pinging google.com [74.125.113.103] with 32 bytes of data:



Reply from 74.125.113.103: bytes=32 time=44ms TTL=52

Reply from 74.125.113.103: bytes=32 time=45ms TTL=52



Ping statistics for 74.125.113.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 44ms, Maximum = 45ms, Average = 44ms

Server: dns.rnc.net.cable.rogers.com
Address: 64.71.255.198

Name: yahoo.com
Addresses: 98.137.149.56, 98.139.180.149, 209.191.122.70, 72.30.2.43



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=100ms TTL=51

Reply from 98.137.149.56: bytes=32 time=88ms TTL=51



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 88ms, Maximum = 100ms, Average = 94ms

Server: dns.rnc.net.cable.rogers.com
Address: 64.71.255.198

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\mswsock.dll [234496] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\winrnr.dll [17408] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\mswsock.dll [234496] (Microsoft Corporation)
Catalog5 04 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [234496] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [234496] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [234496] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [234496] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [234496] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\mswsock.dll [493056] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\winrnr.dll [30720] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\mswsock.dll [493056] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [493056] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [493056] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [493056] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [493056] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [493056] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/18/2012 10:46:33 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 10:46:33 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 09:21:36 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 09:21:36 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 08:52:32 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 08:52:32 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 07:40:36 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 07:40:36 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 07:14:32 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.

Error: (01/18/2012 07:14:32 PM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.


System errors:
=============
Error: (01/18/2012 02:49:57 PM) (Source: DCOM) (User: )
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (01/18/2012 02:34:15 PM) (Source: DCOM) (User: )
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (01/18/2012 02:32:51 PM) (Source: 0) (User: )
Description: CENTRIC :0192.168.1.117192.168.1.1

Error: (01/18/2012 02:14:57 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0

Error: (01/18/2012 02:12:53 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0

Error: (01/18/2012 01:59:43 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0

Error: (01/18/2012 01:49:41 PM) (Source: DCOM) (User: )
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (01/18/2012 01:19:40 PM) (Source: 0) (User: )
Description: CENTRIC :0192.168.1.117192.168.1.1

Error: (01/18/2012 01:05:14 PM) (Source: DCOM) (User: )
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/18/2012 05:15:52 AM) (Source: DCOM) (User: )
Description: DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}


Microsoft Office Sessions:
=========================
Error: (11/14/2011 11:14:21 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: ???, Microsoft Office Version: 12.0.6514.5001. This session lasted 293 seconds with 0 seconds of active time. This session ended with a crash.

Error: (05/28/2011 00:23:22 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.6514.5001. This session lasted 15 seconds with 0 seconds of active time. This session ended with a crash.

Error: (12/27/2010 04:03:38 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.6514.5001. This session lasted 55982 seconds with 300 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================


========================= Devices: ================================

Name: Realtek PCIe GBE Family Controller
Description: Realtek PCIe GBE Family Controller
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Realtek Semiconductor Corp.
Service:
Problem: : Reinstall the drivers for this device. (Code 18)
Resolution: The drivers for this device must be reinstalled.
Click "Update Driver", which starts the Hardware Update wizard.
Alternately, uninstall the driver, and then click "Scan for hardware changes" to reload the drivers.

Name: ATI SMBus
Description: ATI SMBus
Class Guid: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Manufacturer: ATI Technologies Inc
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


========================= Memory info: ===================================

Percentage of memory in use: 37%
Total physical RAM: 3838.85 MB
Available physical RAM: 2388.3 MB
Total Pagefile: 7433.21 MB
Available Pagefile: 6280.28 MB
Total Virtual: 4095.88 MB
Available Virtual: 3995.56 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:136.72 GB) NTFS

========================= Users: ========================================

User accounts for \\ALEXDOTCOMPUTER

Administrator Aleco alex
Guest

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 AM

Posted 18 January 2012 - 11:07 PM

No Zeroaccess rootkit yet.
I think you already tried installimg IE but this OS will not allow it.

To clean out thise last items
Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 18 January 2012 - 11:29 PM

Dear bloopme,

I installed ie 8 restarted and when loggon on right away got the Iexplorer.exe playing ads in the background. Pretty scary.

I just finished creating a restore point and am in the process of doing the disk clean up.

Hopefully I can put out a smile at the end of this topic. I think we are getting closer. I will keep you posted.

Thanks again for all your help!

#11 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 18 January 2012 - 11:36 PM

hey bloopme,

I did the disk cleanup.

The Iexplorer.exe files are still loading in the background and are playing music and advertising videos. Iexplorer isn't running on the task but under processes it's there. A few instances.

#12 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 19 January 2012 - 12:08 AM

my browser is also being hijacked whenever ity googling a sight. Every so often it redirects me somewhere else. I've heard of this issue in previous posts. Just don't know how to fix it.

So to summarize.

Iexplorer.exe still running in background (now more frequently playing music and audio ads)

Google redirects sometimes when using I explorer

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 AM

Posted 19 January 2012 - 10:41 AM

This sounds like you now have a Bootkit not Rootkit infection. We need to move you,

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 19 January 2012 - 12:15 PM

Dear boopme,

Thanks for your help.

DDS doesn't work on win xp 64 bit. Any other suggestions?

#15 Troubled Virus

Troubled Virus
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:46 AM

Posted 19 January 2012 - 02:51 PM

The topic continues here: Malware, T




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users