Multiple iexplore.exe in task manager
Tofer
So I'm browsing the net when a browser message comes up saying "Internet Explorer has stopped working" and then abruptly closes. This happend a few times. The 4th time I check task manager and see that there's 3 iexplore.exe when I have only 1 browser open. When I "kill" one iexplorer.exe process another one opens up immediately
I downloaded Proccess Explorer to check out the path of the other 2 iexplore.exe and it came up
Path: C:\Program Files\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5116 CREDAT:71978
And when I click "Bring to front" I get the message "No visible windows found for this process"
Then I clicked Security then Permissions and listed in the accounts windows is
"Account Unknown (S-1-5-5-0-276877)"
I've removed this account numerous times but it just keeps coming back only with a different number
AVG found nothing.
MalwareBytes found nothing so dont have a log file.
HERE's MY HjT LOG...
Logfile of Trend Micro HijackThis v2.0.2
Running processes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\rmtray.exe /H
O4 - HKUS\S-1-5-21-2279729505-3709079803-170581798-1007\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Mcx1')
O4 - HKUS\S-1-5-21-2279729505-3709079803-170581798-1007\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Mcx1')
O4 - HKUS\S-1-5-21-2279729505-3709079803-170581798-1007\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'Mcx1')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: KRGSL - Sysinternals -
www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\KRGSL.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MTXVRT - Sysinternals -
www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\MTXVRT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OVLLJRWYF - Sysinternals -
www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
HERE'S MY DDS LOG...
SP: ZoneAlarm Pro Anti-Spyware *enabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-17 161800]
=============== Created Last 30 ================
2009-12-28 15:23:18 65536 --sha-w- C:\ntuser.dat{3e1552ce-f2dd-11de-8e8a-001aa08b948b}.TM.blf
==================== Find3M ====================
2009-12-23 21:12:20 51200 ----a-w- c:\windows\inf\infpub.dat
============= FINISH: 12:05:39.28 ===============
Please get back to me ASAP
File Attachment : Attach.zip 2KB (application/x-zip-compressed)This file has been downloaded 787 time(s).
Back to Top
Jintan Welcome to BG forums Tofer,RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.RSIT will also create a second log , info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).here and download the installer for Gmer to your desktop, then click that file to run Gmer.Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). Back to Top
Tofer Hello Jin and thank you for replying, where abouts in the logs does it show you this folder? Back to Top
Jintan This is the stolen data folder:leave them installed until ALL repairs on it are completed . If not, they will remain infected and can re-infect the computer (or others).REGEDIT4
Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox."fixer.reg" here and download Flash_Disinfector.exe and save it to your desktop.Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.here and download the most current copy of the SPTD installer (right now that is SPTDinst-v162-x86.exe). Then click the downloaded file to start the installer. When the option appears select Uninstall, and allow the tool to uninstall SPTD from your system. Be sure to reboot after to complete the removal of the SPTD settings.here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com , then click the renamed 456out.com to run that scan.Post Edited (Jintan) : 07-01-2010 00:30:54 GMT
Back to Top
Tofer I double clicked Flash_Disinfector and nothing happend :s. It's defo the correct one. I Downloaded the rest of the things you told me and done the fixer. But Flash Disinfector is next on the list to run. I'm guessing its not right to run SPTD or combofix if the disinfector hasn't run yet?
Anyway around this?
Thanks for the help.
...Thee Infamous El Guapo
Back to Top
Jintan Suggests malware is loading into processes there, and monitoring and interfering with the known tools we use. Good to check in on things like this. But go ahead with the other steps please. Back to Top
Tofer Hello again Back to Top
Jintan Those older security software entries are stored in the WMI info.here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):Look . Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt. Back to Top
Tofer we meet again wise one... Back to Top
Jintan Before we take action on a file move, did you do these steps posted earlier in our work here:here and download the most current copy of the SPTD installer (right now that is SPTDinst-v162-x86.exe). Then click the downloaded file to start the installer. When the option appears select Uninstall, and allow the tool to uninstall SPTD from your system. Be sure to reboot after to complete the removal of the SPTD settings. Back to Top
Tofer Sure did but I didn't see it do anything apart from install and then uninstall like you said. Was it supposed to scan and then save a log or something? Back to Top
Tofer Jin I tried inputting what you said but nothing happend and I was left with this... Back to Top
Tofer Hello there Back to Top
Jintan The Avenger log suggests it was unable to make the file move, but the ComboFix scan run after that indicates the file alteration is no longer occurring. Let's check the file status again. Run this same script in SystemLook again, and post the log please: Back to Top
Tofer SystemLook v1.0 by jpshortstuff (29.08.09) Back to Top
Jintan No, my fault reposting the Avenger script. This script please: Back to Top
Tofer Hello
Is this the right?
SystemLook v1.0 by jpshortstuff (29.08.09)
========== filefind ==========
Searching for "atapi.sys"
-=End Of File=-
Back to Top
Jintan Sorry for missing you had replied, and it is okay to send a PM like you did should this occur. These files match, which indicates the file exchange worked: Back to Top
Tofer Hello again, no need to say sorry I'm sure you're a very busy man! Back to Top
Jintan Good job - the file exchange appears to have worked. Don't want to delay things more than we need to, but I would like you to verify a folder, and/or the file inside it:View Hidden Files . Also uncheck "Hide Extensions for Known File Types", so you will see any info available to you. Just check if that file exists, right click it - select Properties and see if you can determine what created/uses it.here , press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select that file on your computer. Back to Top
Tofer cant find that file anywhere. think it may have been removed allready? Back to Top
Jintan That is enough to move forward on.notepad and press Enter) and copy/paste the text in the codebox below into it:KillAll::
CFScript.txt here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:Remove found threats log.txt ). Click Edit - Select All then copy/paste that log back here please.here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan. Back to Top
Tofer Hello, Back to Top
55 posts in this thread. 1 2 3
Forum Information Currently it is Friday, May 24, 2013 7:02 PM (GMT +3)View Active Threads Who's Online This forum has 34621 registered members. Please welcome our newest member, ACSIUS .Details 5 Latest Threads
|
Forum Help Manual
