IE Trojan, Multiple IE processes

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ocelik, Jan 4, 2010.

  1. ocelik

    ocelik Private E-2

    Dear Experts,

    When I open IE, most of the times it gives error: "Your last browsing session closed unexpectedly. Would you like to restore your last session, or go to your home page?". I know I close IE normally, it is not closed unexpectedly. When I choose to restore the last session, it opens my home page. When I open IE, it opens 2 IExplore.exe processes in the task manager. When I open additional IE windows, the 1 extra process always remains extra. There is always 1 extra IE process when IE is open. When I close IE, the all IExplore.exe processes are closed. I checked my computer with F-Secure Online Scanner, and found that I have IE Trojan ( I could not record how teh scanner named it), did not show exactly what was teh filename. F-Secure Online Scanner reported that it cleaned the infection. Now I scanned my computer with SUPERAntiSpyware, it found Trojan.IEXPLORER in C:\WINDOWS\INSTALLER\... folders. Normally I use Firefox for browsing, I use IE when I have to. I think in the past I installed a toolbar of FreeCause.com to IE, and it did not have a proper unistall. I suspect it can be the source of the trojan, but I cant be 100% sure bec it was months ago, and I found out the multiple process problem recently.

    When I run RootRepeal, file scan, I get error: Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog. Although I adjust level to "high level- Support All devices, support dynamic disks" I still receive the same error. In the file scan, it stays at the status "Initializing, please wait" after showing the above error in a msg box. It has a scan status: Volume C:\, MBR Rootkit Detected!. My computer has "Safeguard Easy" disk encryption software, I do not now if this "MBR Rootkit Detected" result has to do with it. I have disabled my antivirus while doing this.

    My computer is a company computer and belongs to a Domain. My admins are using Landesk user administration program and I am OK with it. The above mentioned IE behaviour does not have to do with it, I checked other computers in my company, they open only one IE session when they are opened. IE behaviour continues even after F-Secure and SUPERAntiSpyware removed the trojans they found.

    Could you please review my log files to advise if it is infected and how to clean the infection.

    Thank you for your consideration.
     

    Attached Files:

    ocelik, Jan 4, 2010
    #1
  2. ocelik

    ocelik Private E-2

    More logs
     

    Attached Files:

    ocelik, Jan 4, 2010
    #2
  3. ocelik

    ocelik Private E-2

    Maybe this may help in your anaylsis: My IE locations are:
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe.mui
    C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
    C:\WINDOWS\Prefetch\IEXPLORE.EXE-0A31FE70.pf
    C:\WINDOWS\Prefetch\IEXPLORE.EXE-12915967.pf
    C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf
     
    ocelik, Jan 4, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The only problems I see are that you have not put ComboFix where we ask you to install it, which is directly on your desktop, not here:
    c:\documents and settings\ocelik005\Desktop\antispyware\ComboFix.exe

    And what do you have in this folder:
    C:\antispy ?

    What issues are you still having?
     
    TimW, Jan 6, 2010
    #4
  5. ocelik

    ocelik Private E-2

    Dear Malware Expert,

    Thank you for your response. Now, I ran Combofix from Desktop, and attached the report again. In C:\antispy , I saved MGtools.exe, it is just a folder I created for organizing the files.

    The following symptoms still continue. I am worried that the Trojan still survives. If you suggest me any traffic analyser or smth like that, I can make any other probe.

    When I open IE, most of the times it gives error: "Your last browsing session closed unexpectedly. Would you like to restore your last session, or go to your home page?". I know I close IE normally, it is not closed unexpectedly. When I choose to restore the last session, it opens my home page. When I open IE, it opens 2 IExplore.exe processes in the task manager. When I open additional IE windows, the 1 extra process always remains extra. There is always 1 extra IE process when IE is open. When I close IE, the all IExplore.exe processes are closed.

    Thanks for your consideration,
    Orhan
     

    Attached Files:

    ocelik, Jan 7, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks like I missed an item.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Files::
c:\windows\system32\api_hook_list.dat
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now! And if you are checking your running processes, then you can always kill one and see what happens. :)
     
    TimW, Jan 9, 2010
    #6
  7. ocelik

    ocelik Private E-2

    Dear Malware Expert,

    Thank you for your response. Now, I ran Combofix from Desktop with the text file, and MGtools\GetLogs.bat . I attached the reports.

    The symptoms still continue. IE generally opens with error: "Your last browsing session closed unexpectedly...". This happens generally when I run IE first time after I open my computer. After the first time we open, if I close IE and open it again the error comes in some of the times.

    There is two tasks, one with ~23000K and other ~18700K initial memory usage. The ~23..K process increases slowly as I use my computer although I do not do anything in IE. It was ~24..K when I write these from Firefox. The 18K process is stable around these levels, it became max ~20..K if I login to yahoo mail from IE. The ~23..K process became 63K when I loging to yahoo and read a mail. If I kill the 23..K process, the open tab is recovered. If I kill the other process, IE is killed, and 23..K process disappears in 1 sec. If I close IE window manually, both processes disappear.

    Could you guide me how to proceed?

    Thanks,
    Orhan
     

    Attached Files:

    ocelik, Jan 10, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, I am not seeing any malware on your system. I would suggest you post in the software forum.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Jan 11, 2010
    #8
  9. ocelik

    ocelik Private E-2

    Thank you for inspecting my case. I was worried that it could be a malware, now this is good news.

    Cheers,
    Orhan
     
    ocelik, Jan 11, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. :)
     
    TimW, Jan 13, 2010
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds