|
| iexplore.exe runs and "views" webpages in background |
 |
Sat, 15 Mar 2008 06:14:00 -070 |
I have some sort of bug - having run Advast, Spybot, Adaware2007, MS
malicious removal, windows defender, Avast virus removal tool but still no
fix.
The scanner in Avast reports that computer is "browsing" sites, yet IE
browser is not running. iexplore.exe shows in task manager processes, when
ended, it reinitializes. Changing name of iexplore.exe to iexplore.0
generates a new copy of iexplore.exe in the folder. There are also up to
three copies of svchost active in processes which can't be killed (for long).
Needless to say, this generates a high CPU usage/commit plus seems to
interfere with MS office applications - most noticed in Outlook bad
initializations & inability to open items from inbox. Any known bugs/fixes
|
| Post Reply
|
| Re: iexplore.exe runs and "views" webpages in background |
 |
Sat, 15 Mar 2008 08:56:01 -050 |
"BigRickRunem" <BigRickRunem@discussions.microsoft.com> wrote in
message
news:78C8F385-89CF-4642-9B8D-F0D3564F1C1F@microsoft.com...
>I have some sort of bug - having run Advast, Spybot, Adaware2007, MS
> malicious removal, windows defender, Avast virus removal tool but still no
> fix.
> The scanner in Avast reports that computer is "browsing" sites,
yet IE
> browser is not running. iexplore.exe shows in task manager processes,
> when
> ended, it reinitializes. Changing name of iexplore.exe to iexplore.0
> generates a new copy of iexplore.exe in the folder. There are also up to
> three copies of svchost active in processes which can't be killed (for
> long).
> Needless to say, this generates a high CPU usage/commit plus seems to
> interfere with MS office applications - most noticed in Outlook bad
> initializations & inability to open items from inbox. Any known
> bugs/fixes
> that I can try short of nuking this box?
Do a thorough check for malware, following all of the steps at one of these
Web pages.
Help with malware:
All MS-MVP Sites.
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/darnit.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
Unexplained computer behavior may be caused by deceptive software.
http://support.microsoft.com/kb/827315
So How Did I Get Infected Anyway?
For quite a few people it's by installing programs like Messenger Plus,
whose ads for malware don't identify the malware as such and try to convince
you that you owe it to the author. See also:
http://www.wilderssecurity.com/showthread.php?t=27971
Don't ever do a "default" install of anything. Always choose Custom
and see
what else is being carried along. Don't install any extras you're not sure
of.
--
Frank Saunders MS-MVP IE,OE/WM
www.fjsmjs.com
Do not reply with email
|
| Post Reply
|
| Re: iexplore.exe runs and "views" webpages in background |
 |
Sat, 15 Mar 2008 09:57:40 -040 |
Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315
Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.
Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware
When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for review
by an expert in such matters, not here.**
If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/
BigRickRunem wrote:
> I have some sort of bug - having run Advast, Spybot, Adaware2007, MS
> malicious removal, windows defender, Avast virus removal tool but still no
> fix.
> The scanner in Avast reports that computer is "browsing" sites,
yet IE
> browser is not running. iexplore.exe shows in task manager processes,
> when
> ended, it reinitializes. Changing name of iexplore.exe to iexplore.0
> generates a new copy of iexplore.exe in the folder. There are also up to
> three copies of svchost active in processes which can't be killed (for
> long). Needless to say, this generates a high CPU usage/commit plus seems
> to
> interfere with MS office applications - most noticed in Outlook bad
> initializations & inability to open items from inbox. Any known
> bugs/fixes
> that I can try short of nuking this box?
|
| Post Reply
|
| Re: iexplore.exe runs and "views" webpages in background |
 |
Mon, 17 Mar 2008 15:04:02 -070 |
"PA Bear [MS MVP]" wrote:
> Unexplained computer behavior may be caused by deceptive software
> http://support.microsoft.com/kb/827315
>
> Run a /thorough/ check for hijackware, including posting your hijackthis
log
> to an appropriate forum.
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine2.blogspot.com/
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> When all else fails, HijackThis v2.0.2
> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
> It will help you to both identify and remove any hijackware/spyware with
> assistance from an expert. **Post your log to
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html,
> http://forums.subratam.org/index.php?showforum=7,
> http://aumha.net/viewforum.php?f=30, or other appropriate forums for review
> by an expert in such matters, not here.**
>
> If the procedures look too complex - and there is no shame in admitting
this
> isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA) computer repair shop.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
> BigRickRunem wrote:
> > I have some sort of bug - having run Advast, Spybot, Adaware2007, MS
> > malicious removal, windows defender, Avast virus removal tool but
still no
> > fix.
> > The scanner in Avast reports that computer is "browsing"
sites, yet IE
> > browser is not running. iexplore.exe shows in task manager processes,
> > when
> > ended, it reinitializes. Changing name of iexplore.exe to iexplore.0
> > generates a new copy of iexplore.exe in the folder. There are also up
to
> > three copies of svchost active in processes which can't be killed
(for
> > long). Needless to say, this generates a high CPU usage/commit plus
seems
> > to
> > interfere with MS office applications - most noticed in Outlook bad
> > initializations & inability to open items from inbox. Any known
> > bugs/fixes
> > that I can try short of nuking this box?
>
> Ran all scanners this morning in Safe mode; SpyBotS&D found a cookie
for Right Media & removed it; Avast found a system restore file infected
& moved it to virus chest; the log file for HijackThis is as follows [also
run in safe mode]:
Logfile of HijackThis v1.99.1
Scan saved at 9:29:19 AM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Stevie Treadwell\My Documents\Downloaded Program
Updates\aswclnr.exe
C:\Documents and Settings\Stevie Treadwell\My Documents\Downloaded Program
Updates\aswclnr.tmp
C:\Program Files\Windows Defender\MSASCui.exe
C:\DOCUME~1\STEVIE~1\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper -
- C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection -
- C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button -
- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - -
C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object -
- C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog
Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media
Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program
Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect
Office X3\Programs\QFSCHD130.EXE"
O4 - HKLM\..\Run: [PdxRegCl] "C:\Program
Files\Paradox\Programs\PdxRegCl.exe" /s /c
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common
Files\Symantec
Shared\PIF\\PIFSvc.exe"
/a /m "C:\Program Files\Common Files\Symantec
Shared\PIF\\AlertEng.dll"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil
Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program
Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy
SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe
C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32
"C:\DOCUME~1\STEVIE~1\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common
Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - Global Startup: FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP
Utility\KMFtp.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL
Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Xelo PDF Driver.lnk = C:\XeloPDFWriter\XeloPDFWriter.exe
O8 - Extra context menu item: &Search - ?p=ZCxdm492YYUS
O8 - Extra context menu item: Open with WordPerfect - C:\Program
Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
- C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Absolute Poker - -
C:\Documents and Settings\Stevie Treadwell\Start Menu\Programs\Absolute
Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker -
- C:\Documents and Settings\Stevie
Treadwell\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Yahoo! Services -
- C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - -
C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
- C:\PROGRA~1\Spybot - Search &
Destroy\SDHelper.dll
O9 - Extra button: (no name) - -
%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
- %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
- C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: (StagingUI Object) -
http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: (Installation Support) -
C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: (MSN Games – Buddy Invite)
- http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: (LinkedIn
ContactFinderControl) -
http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: (ZonePAChat Object) -
http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si
te.cab?1170207461234
O16 - DPF: (Java Runtime Environment
1.6.0) -
http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: (MSN Games - Installer) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: (Shockwave Flash Object) -
http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: (MSN Games – Game
Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: (MSN Games – Backgammon) -
http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\:
NameServer = 64.105.132.250,64.105.166.122
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - -
C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: BootSetup - -
C:\WINDOWS\Installer\\BootSetup.dll
O21 - SSODL: zip - -
C:\WINDOWS\Installer\\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program
Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries
Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel
32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common
Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program
Files\Common Files\Symantec
Shared\PIF\\PIFSvc.exe" /m
"C:\Program
Files\Common Files\Symantec
Shared\PIF\\PifEng.dll (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. -
C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program
Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner -
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner -
C:\WINDOWS\system32\PSIService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program
Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program
Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common
Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program
Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation -
C:\Program Files\Viewpoint\Common\ViewpointService.exe
FYI: while in safe mode I was able to rename iexplore.exe without it
replicating itself; system seems to be running better, but I had to terminate
two processes from task manager that were eating up commit - tmp****.exe
where **** appears to be random numbers each time I reboot. Please advise as
to what is generating this if it appears in the Hijack log above.
|
| Post Reply
|
| Re: iexplore.exe runs and "views" webpages in background |
 |
Mon, 17 Mar 2008 18:36:04 -040 |
BigRickRunem wrote:
>>> I have some sort of bug - having run Advast, Spybot, Adaware2007,
MS
>>> malicious removal, windows defender, Avast virus removal tool but
still
>>> no
>>> fix.
>>> The scanner in Avast reports that computer is "browsing"
sites, yet IE
>>> browser is not running. iexplore.exe shows in task manager
processes,
>>> when
>>> ended, it reinitializes. Changing name of iexplore.exe to
iexplore.0
>>> generates a new copy of iexplore.exe in the folder. There are also
up
>>> to
>>> three copies of svchost active in processes which can't be killed
(for
>>> long). Needless to say, this generates a high CPU usage/commit plus
>>> seems
>>> to
>>> interfere with MS office applications - most noticed in Outlook
bad
>>> initializations & inability to open items from inbox. Any
known
>>> bugs/fixes
>>> that I can try short of nuking this box?
>>
>> Unexplained computer behavior may be caused by deceptive software
>> http://support.microsoft.com/kb/827315
>>
>> Run a /thorough/ check for hijackware, including posting your
hijackthis
>> log
>> to an appropriate forum.
>>
>> Checking for/Help with Hijackware
>> http://aumha.org/a/parasite.htm
>> http://aumha.org/a/quickfix.htm
>> http://aumha.net/viewtopic.php?t=5878
>>
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/tshoot.html
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> http://defendingyourmachine2.blogspot.com/
>> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>>
>> When all else fails, HijackThis v2.0.2
>> (http://aumha.org/downloads/hijackthis.zip) is the preferred tool to
use.
>> It will help you to both identify and remove any hijackware/spyware
with
>> assistance from an expert. **Post your log to
>> http://forums.spybot.info/forumdisplay.php?f=22,
>> http://castlecops.com/forum67.html,
>> http://forums.subratam.org/index.php?showforum=7,
>> http://aumha.net/viewforum.php?f=30, or other appropriate forums for
>> review
>> by an expert in such matters, not here.**
>>
>> If the procedures look too complex - and there is no shame in
admitting
>> this isn't your cup of tea - take the machine to a local, reputable
and
>> independent (i.e., not BigBoxStoreUSA) computer repair shop.
>> --
> Ran all scanners this morning in Safe mode; SpyBotS&D found a cookie
for
> Right Media & removed it; Avast found a system restore file infected
&
> moved it to virus chest; the log file for HijackThis is as follows [also
> run in safe mode]:
>
> Logfile of HijackThis v1.99.1
> Scan saved at 9:29:19 AM, on 3/17/2008
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.6000.16608)
<snip>
>
> FYI: while in safe mode I was able to rename iexplore.exe without it
> replicating itself; system seems to be running better, but I had to
> terminate two processes from task manager that were eating up commit -
> tmp****.exe where **** appears to be random numbers each time I reboot.
> Please advise as to what is generating this if it appears in the Hijack
> log.
Repost:
**Post your log to http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for review
by an expert in such matters, not here.**
Comments:
=> You've got a Trojan-Downloader.Win32.Agent.keu (variant) infection and
what looks to be Trojan/Zlob infection. I wouldn't be surprised to find a
rootkit infection as well as Vundo and one or more SDBot variants either.
In short, the machine is seriously compromised and you'll need expert
assistance to make it whole again (unless you format & reinstall Windows).
=> You should be using HijackThis v2.0.2, not v1.99.1. Replace what you
have now with this one: http://aumha.org/downloads/hijackthis.exe [The link
I originally posted was correct but somehow the old version is in the zip
file; sorry.]
=> HijackThis (hijackthis.exe) must be located in its own, dedicated folder,
not run from a TEMP directory.
=> Spybot Tea Timer must be disabled before any progress can be made. See
http://aumha.net/viewtopic.php?t=32409
=> Whatever Norton application had been installed in the past has not been
uninstalled completely. Uninstall LiveUpdate via Add/Remove Programs, run
the Norton Removal Tool, and reboot the machine prior to posting your new
HijackThis log (using v2.0.2) in an appropriate forum.
Good luck.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/
|
| Post Reply
|
|
|