Your gracious help please

Discussion in 'Malware Help (A Specialist Will Reply)' started by apoxacilin, Feb 24, 2008.

  1. apoxacilin

    apoxacilin Private E-2

    I was groggily shutting down my computer two nights ago and a window popped up masquerading as a window's firewall notification box; I stupidly clicked "ok" or "yes" or whatever it was.

    Ever since, I've got "iexplore.exe" eating up much of my memory and, until I blocked its access to the net with zone alarm much of my CPU usage. I should say that in addition to this "iexplore.exe" in the Window Task Manager, there is another less-memory hogging "iexplore.exe" (the first takes around 35,000 K, the second 12,000). There is also an "explorer.exe" (around 14,000) which assume is not problematic. In any case, I've been blocking "iexplore.exe" from internet use for the past couple days.

    I've followed your instructions in running: combofix, spybot search and destroy, SuperAnti-Spyware, and MGtools. While spybot and SAspyware found some problems which I fixed, the "iexplore.exe" problem persists. Attached are logs from Combofix, SASpyware, and MGtools.

    I noticed a number of people online describing similar problems, though given solutions were scarce or unconvincing. I figure Majorgeeks knows what they're doing. Please excuse my computer ignorance.

    Thank you for your help,
    Matthew
     

    Attached Files:

    apoxacilin, Feb 24, 2008
    #1
  2. apoxacilin

    apoxacilin Private E-2

    I forgot to mention that after I ran Combo fix the Firefox shortcut on my desktop switched to an Internet Explorer shortcut (a second one, as I already had one on the desktop). The Firefox shortcut tagged to the start menu was also changed to Internet Explorer.

    As a recently used program, Firefox remained on the start menu's list of such programs, though it now starts in Safe mode.

    Please let me know if the logs I posted are faulty in any way, and I will make the appropriate changes.

    Thank you,
    Matthew
     
    apoxacilin, Feb 24, 2008
    #2
  3. apoxacilin

    apoxacilin Private E-2

    Please excuse one more addendum to my initial post (i know i'm just delaying your kind responses). But, I forgot to mention one more thing:

    Whenever I shutdown or reboot the computer, windows has to separately end the "iexplore.exe" application. An End Program box comes up, which I usually expedite by ending the process immediately. (This was one of my first clues that I had malware in the first place.)

    Also, this might be helpful to problem solvers, or those who know about these things, but after the "iexplore.exe" program finally ends, another message box pops up and usually disappears within a few seconds; however, I was able to make out a bit of it. It has to do with: "DUP EPL~1.DLL" You'll have to again pardon my ignorance of what this means, but I thought it might help you to narrow things down during your log browsing.

    Cheers,
    Matthew
     
    apoxacilin, Feb 24, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:
    Please use add/remove programs to uninstall:
    My Way Search Assistant --> if it is not on the list...use CCleaner / Tools

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Feb 25, 2008
    #4
  5. apoxacilin

    apoxacilin Private E-2

    TimW,

    Thank you for your time and help. Your suggestions have worked well for me.
    Internet Explorer, which I never use anyway, no longer has an annoying toolbar.
    And the odd "iexplorer.exe" process, running when Internet Explorer was not, is now no longer in my Task Manager. Also, I no longer have to specially end "iexplorer.exe"'s task when rebooting; nor do I receive odd messages about .dll files when rebooting.

    I do still have an "explorer.exe" process which takes up anywhere from 21K to 35K--but I assume this is window's necessary process and not malware (though my attached logs might tell you otherwise).

    The only thing that remains unchanged after your suggestions is that firefox still wants to start in 'safe mode', which it has ever since I ran Combofix--its desktop shortcut, which changed to Internet Explorer after Combofix as well, has not reverted back to Firefox. Is this something to do with Combofix's policy with defaults, or default browsers? I was wary on using the altered shortcut (Firefox-->Internet Explorer) because of the rogue process "iexplorer.exe", but perhaps now I can fiddle with it?

    Also, now that I have SuperAntiSpyWare installed, is it necessary to run this program constantly? do you recommend it?

    Thank you again much for your help; attached are my MGtools logs and my avenger log. Please let me know if anything seems out of the ordinary if you happen to glance at them.

    Much thanks,
    Matthew
     

    Attached Files:

    apoxacilin, Feb 25, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    You really need to clean up your desktop ...as in put related things into folders.

    If doing the above did not fix Firefox, then just delete the icon from the desktop and go to C:\Program Files\Mozilla Firefox\firefox.exe right click the .exe and send to desktop (shortcut).

    You can run SuperAnti-spyware as often as you feel the need...it would depend on how vulnerable you are feeling.

    Tell me how the above worked.
     
    TimW, Feb 26, 2008
    #6
  7. apoxacilin

    apoxacilin Private E-2

    TimW,

    Thank you for the above fix. Your generous time and help is appreciated here. Everything is running great.

    Thanks,
    Matthew
     
    apoxacilin, Feb 27, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are welcome .....

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Feb 28, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds