Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE running unexpectedly in background. Unable to Boot to Safe Mode


  • Please log in to reply
9 replies to this topic

#1 NateJones

NateJones

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 22 June 2013 - 01:30 AM

Hello and thank you in advance for your help,

 

I have a fairly new computer running Windows 7 64 bit. I took some time away from home recently, and when I got back, failed to update Java as expediently as I should have. Earlier this week I ran a scheduled Microsoft Security Essentials scan, which turned up three detected items:

 

Exploit:Java/CVE-2012-1723

Trojan:Win32/Alureon.GD

Exploit:Java/CVE-2013-0431

 

I promptly removed the three items (MSE reported that they were successfully removed), and started a scan using Spybot-SD, followed by another full scan by MSE. Neither of these showed any threats. At this point, I also made sure that my versions of Java and Adobe flash were up to date.

 

However, since then, I've noticed perioidic slow-downs while internet browsing using Firefox. Yesterday, several alerts popped-up in 10 minute intervals stating that a process was blocked from attempting to access the internet. Unfortunately, I did not take a screen shot, or record the exact message. However, I do remember that each process was listed as a long url with seemingly random strings of alphabetic characters.

 

At that point, I did another full scan by MSE, which did not detect any items. I then downloaded Malware Bytes: Anti-Malware, updated the definitions, unplugged my ethernet cable and disabled my firewall/MSE, and then ran Malware Bytes. However, no items were detetected.

 

After enabling my firewall/MSE and reconnecting my ethernet cable, I noticed that four instances of internet explorer were listed under processes in my Task Manager, which I found odd, since I currently did not have any browser open, and when I do surf the internet, I use Firefox. I used Task Manager to kill the processes, but they returned about 2 minutes later. Each of the uses about 10,000k memory on average, although occaisionally, one will spike to about 120,000k memory without me actively doing anything.

 

Finally, I thought to restart the computer in safe mode using the F8 on startup, but after several attempts, I was not able to get safe mode to start on boot-up. I downloaded and scanned using Malware Bytes Anti-Rootkit, but nothing was found.

 

I am not very knowledgeable on the subject, but I am worried that I have a rootkit infecting the Master Boot Record, which is causing both the instances of IE and the inability to boot to safe mood.

 

I'm not opposed to reformatting the harddrive, but would like to make sure I do actually have a problem before I do so.

 

Thoughts, suggestions?

 

Thank you for your help!

 

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 AM

Posted 22 June 2013 - 06:06 AM

These are typical Java Exploit infections, or outdated versions.
http://www.java.com/en/download/help/testvm.xml << Test your Java Version here.
There has been several updates, and it needs to be Version 7 Update 25. All old versions Must be removed from Programs and Features.
You can also update while at the link provided -
 

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

 

Thank You -


Edited by noknojon, 22 June 2013 - 06:11 AM.


#3 NateJones

NateJones
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 22 June 2013 - 04:33 PM

Thanks for the reply. I've followed the link provided to verify that Java was up to date.

 

I then downloaded and executed the program SecurityCheck, and the log is printed below (However, I did notice that operating system requirements listed on the link you gave me said that program was designed for a 32-bit operating system, and may not work on a 64-bit one. I have Windows 7 64-bit, so I am not sure if this will nullify any of the results).

 

Checkup - Notepad

 

 Results of screen317's Security Check version 0.99.67  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Spybot - Search & Destroy
 Java 7 Update 25  
 Adobe Flash Player 11.7.700.224  
 Adobe Reader XI  
 Mozilla Firefox (21.0)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 AM

Posted 22 June 2013 - 06:17 PM

The Checkup program worked perfectly and only listed one item.

Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
 

Malwaerbytes Anti-Malware was not found(if still installed) so I will leave a link for this and SUPERAntiSpyware programs. You can install, update, and run a quick scan with each of these -

Please post the result logs back here - Keep these programs and Update and run them each week -

 

Please download Malwarebytes AntiMalware to desktop. Check for updates if not done during download and run a Quick Scan only.
You can check "Remove" for any infections found.

The program may ask you to Reboot if several infections are found.
Please Copy / Paste the Report log back here when completed.

 

Please download SUPERAntiSpyware to desktop. Check for latest updates if not done during the download.
You can check "Remove" for any infections found.

The program may ask you to Reboot if several infections are found.
Run a Quick Scan only and Copy / Paste the Report log back here when finished -

 

 

We should run an ESET Online scan to remove any remains of your problems -> >

This is best done with Internet Explorer, but directions are added for other browsers if you must use them.

 

1. Hold down Control key and click on This Link to open ESET OnlineScan in a new window.
2. Click the ESET Online Scanner button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

- 1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
- 2. Double click on the ESET icon on your desktop.

 

4. Check "YES, I accept the Terms of Use."
5. Click the Start button.
6. Accept any security warnings from your browser.
7. Under scan settings, check "Scan Archives" and "Remove found threats"
8. Click Advanced settings and select the following:
◦ Scan potentially unwanted applications
◦ Scan for potentially unsafe applications
◦ Enable Anti-Stealth technology

9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take quite some time. My last clean scan was a bit over 1 hour.
10. When the scan completes, click List Threats
11. Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Click the Back button.
13. Click the Finish button.
NOTE:Sometimes if ESET finds no infections it will not create a log.

 

Post the log back here and this will show and fix the remaining problems,

 

Thank You -



#5 NateJones

NateJones
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 23 June 2013 - 01:06 AM

I also noticed the Defragmentation warning, but since I have an SSD harddrive, I opted not to defrag it.

 

Attached are the logs from the three scans. It looks like while neither Malwarebytes nor SuperantiSpyware showed any theats, ESET caught a few.

 

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.22.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Nate :: PARADOX [administrator]

6/22/2013 4:56:52 PM
mbam-log-2013-06-22 (16-56-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 229427
Time elapsed: 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

 

 

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/22/2013 at 05:04 PM

Application Version : 5.6.1020

Core Rules Database Version : 10555
Trace Rules Database Version: 8367

Scan type       : Quick Scan
Total Scan Time : 00:00:55

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 583
Memory threats detected   : 0
Registry items scanned    : 59930
Registry threats detected : 0
File items scanned        : 10575
File threats detected     : 0
 

 

 

 

ESET Scan

 

C:\Users\Nate\AppData\Local\Netscape\kmufwgqh.dll    Win32/Boaxxe.G trojan    cleaned by deleting (after the next restart) - quarantined
C:\Users\Nate\AppData\Roaming\Mozilla\Firefox\Profiles\bld9dv35.default\extensions\fpdxoluoug@fpdxoluoug.org.xpi    Win32/TrojanDownloader.Tracur.AD trojan    deleted - quarantined
Operating memory    a variant of Win32/TrojanDownloader.Tracur.AF trojan    
 

 

Thank you again for all of your help.

 

 



#6 NateJones

NateJones
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 23 June 2013 - 01:11 AM

I also wanted to report that just prior to doing these scans, a message popped up on my screen displaying the following:

 

Application Blocked by Security Software.

Name: o

Location: http:bradw.1banner.info/4d2376466a9b87533ba67906594f8.



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 AM

Posted 23 June 2013 - 01:15 AM

Odd one -

Were you doing anything or was your Antivirus scanning at the time ??

I will need to try and find this one -

 

Otherwise, how is the computer running ?

 

Thanks -



#8 NateJones

NateJones
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 23 June 2013 - 04:04 PM

Thank you for your assistance. The computer appears to be running fine now. The background iexplorer processes have disappeared, and I have not had any further notifications of blocked applications (Yesterday, when I did get the notification, I was not actively interacting with the computer, or running any scans; moreover, the first time I saw a notification like this was during the past week).

 

Are there any other steps I need to take to ensure that the trojan has been fully eliminated?



#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 AM

Posted 23 June 2013 - 04:25 PM

Well Done -

I will keep this on Watch for another week, so post back if you have a problem.

Right Click / Delete any reports / logs left as they are not needed

Keep Malwarebytes and SUPERAntiSpyware on the computer, but always Update prior to any scan (every 2 to 3 days)

 

Thank You -



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 AM

Posted 02 July 2013 - 06:44 AM

Hi -

It has been about 2 weeks now, are things OK.

I will close this topic, and you can start another one unless you need help for now -

 

Regards -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users