Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue iexplorer.exe processes


  • This topic is locked This topic is locked
4 replies to this topic

#1 mwamateur

mwamateur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 09 June 2014 - 06:02 PM

Hi,

I did my best to follow the instructions but have been unable to produce the dds reports that you require. DDS appears to be running all right but the end result is only the Attach.txt file and even it appears to be missing a lot of information.  I saw another posting with a problem similar to mine that also had incomoplete dds output, so I followed the same advice that he got and produced FRST reports.  The attached zip file has both my FRST and DDS output.

My computer appears to be infected with malware that causes the process "iexplorer.exe" to start up.  It does this  regardless of whether IE is really being run by the user.  Once an iexplorer.exe task starts, it soon grows in size so that  the Task Manager reports sizes greater than 100,000 k in the memory column.  Then it continues to grow to exceed 1,000,000 k.  By this time, one or more additional iexplorer.exe tasks will appear and they grow as well, taking up all the memory and cpu resources. It is easy to kill these processes using the Process Manager, but new ones continue to start and it literally becomes a full-time job.

One thing I have noticed is that the iexplorer.exe processes do not appear to start up if the laptop is disconnected fromthe Internet.  Another thing that I notice while killing off iexplorer processes is that occasionally I will see numerous copies of ctfmon.exe start up and then quickly disappear.  Not sure if that has anything to do with the iexplorer.exe tasks.

I was using AVG free all along and installed Malwarebytes (basic) after this problem started occuring.  Both programs have removed several undesireable programs - apparently more related to Adware - but this has had no effect on the main problem.

Any assistance will be greatly appreciated.

MwAmateur

Attached Files



BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:27 PM

Posted 10 June 2014 - 02:31 AM

Hello and Welcome on board mwamateur :welcome:,

my Name is Machiavelli and I will assist you with your problem.
If you booted into safe mode on your computer then print my instructions!
I'm in the 'Malware Staff Team' and will provide you with advice:

To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!
 

Please post the Logs into the thread.

I was using AVG free all along and installed Malwarebytes (basic) after this problem started occuring. Both programs have removed several undesireable programs - apparently more related to Adware - but this has had no effect on the main problem.

Please post also these logs.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 mwamateur

mwamateur
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 10 June 2014 - 06:18 PM

Hi Machiavelli,
I was not expecting a response so soon. But thank you very much.

Before reading your reply, and expecting a 5 day wait, I started investigating
other cases that seemed similar to mine. This is contrary to what your response asked me to do,
so I apologize for that. However, I believe that things have turned out fairly well.

After reading about rootkits and how they pose a special difficulty for malware removal, I
noticed that I had not checked off "rootkit protection" when I ran the malwarebytes anti-malware
program using the default settings. I don't seem to have a good copy of the malwarebytes log
file but its report mentioned two instances of "forged physical sector" occurring on Drive 0,
sector 1 and 211.

As I mentioned previously, the infected computer only displayed symptoms (multiple high-impact
iexplorer.exe tasks) when connected to the internet. I ran this scan with the computer off the network and stayed off while I ran the Kaspersky TDSSKILLER program, again looking for rootkits.

In addition to three unsigned file messages that were listed as PUP, TDSSKiller reported the
detection of Rootkit.Boot.Cidox which it later "cured". Here is the excerpt:

09:55:15.0059 0x17a4 [ 24ACB7E5BE595468E3B9AA488B9B4FCB,

63541E3432FCE953F266AE553E7A394978D6EE3DB52388D885F668CF42C5E7E2 ] C:\Windows

\system32\services.exe
09:55:15.0069 0x17a4 [ Global ] - ok
09:55:15.0069 0x17a4 ================ Scan MBR ==================================
09:55:15.0079 0x17a4 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
09:55:15.0639 0x17a4 \Device\Harddisk0\DR0 - ok
09:55:15.0639 0x17a4 ================ Scan VBR ==================================
09:55:15.0649 0x17a4 [ AC3F64BF335A44CC7222D4C2A19002D0 ] \Device\Harddisk0\DR0\Partition1
09:55:15.0649 0x17a4 \Device\Harddisk0\DR0\Partition1 - detected Rootkit.Boot.Cidox.b ( 0 )
09:55:15.0649 0x17a4 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - infected
09:55:15.0659 0x17a4 [ 043101663774E869C1BCB9508EDD43F1 ] \Device\Harddisk0\DR0\Partition2
09:55:15.0669 0x17a4 \Device\Harddisk0\DR0\Partition2 - ok
09:55:15.0669 0x17a4 [ 1D1077A86F92C7F9AA9635B3BBE17D3A ] \Device\Harddisk0\DR0\Partition3
09:55:15.0679 0x17a4 \Device\Harddisk0\DR0\Partition3 - ok
09:55:15.0709 0x17a4 [ EE5049425E0028B6FBA80D41E309EDC0 ] \Device\Harddisk0\DR0\Partition4
09:55:15.0709 0x17a4 \Device\Harddisk0\DR0\Partition4 - ok


After TDSSKILLER finished, I rebooted the system. Only then did I dare try connecting to the network
to see if the symptoms (iexplorer.exe processes) would return. 10 hours later, they still have
not, so I am feeling fairly confident of having stumbled into a fix.

Based on this, I will withdraw my request for help and ask that this case be closed. Thank you
very much, though, for the help. It was only after learning that there was a 5 day backlog that
I started reading up on rootkits and I chose to try TDSSKILLER after reading about a case similar
to mine where it had worked.


I am not the person who normally uses this laptop and it is not clear how this situation arose in
the first place. However, I believe they received a flurry of frightening messages that may have
caused them to click "OK" a few times when they should not have.

Regards and thanks for this great collection of information.

mwamateur

#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:27 PM

Posted 11 June 2014 - 03:07 AM

I would not be so confident, that the RootKit is gone, but this is your decision. I will close the topic as solved.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:27 PM

Posted 11 June 2014 - 03:08 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users