chris_irvine
asked on
Iexplorer.exe running at 100% after virus scan and running Spybot, any ideas?
Hey there everyone,
I have a machine here that on boot up runs iexplorer.exe with IE being started im assuming that there is some spyware or virus on the machine, however after repeated attempts to clean the machine it stilll does runs iexplorer.exe on start up.
I have run both Avast antivirus and Spybot, I have included the log file from Hijackthis, any help is appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:55 PM, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
C:\Program Files\Alwil Software\Avast4\ashServ.ex e
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
c:\program files\mcafee.com\agent\mcd etect.exe
c:\PROGRA~1\mcafee.com\age nt\mctsksh d.exe
c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
C:\WINDOWS\system32\wscntf y.exe
c:\PROGRA~1\mcafee.com\vso \mcshield. exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_03\bin \jusched.e xe
C:\Program Files\Real\RealPlayer\Real Play.exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\Program Files\Common Files\InstallShield\Update Service\is sch.exe
C:\PROGRA~1\mcafee.com\age nt\mcagent .exe
C:\PROGRA~1\mcafee.com\vso \mcvsshld. exe
c:\progra~1\mcafee.com\vso \mcvsescn. exe
C:\WINDOWS\system32\hkcmd. exe
C:\WINDOWS\system32\igfxpe rs.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\DellSupport\DSAgnt.e xe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
c:\program files\common files\installshield\update service\is uspm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\InstallShield\Update Service\ag ent.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Documents and Settings\Administrator\Des ktop\HiJac kThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8 AB8210D6D7 5} - C:\Program Files\MyWaySA\SrchAsDe\deS rcAs.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - c:\progra~1\mcafee.com\vso \mcvsshl.d ll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-1 0AC9BABA46 C} - C:\Program Files\Canon\Easy-WebPrint\ Toolband.d ll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6 4B5B4FF55D 0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin \jusched.e xe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTA L~1\UPDATE ~1\ISUSPM. exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\Update Service\is sch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs o\mcmnhdlr .exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age nt\mcupdat e.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso \mcvsshld. exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX E /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe " -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsc a.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotif ier.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Ford wave.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast 4\ashDisp. exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [online error] C:\DOCUME~1\Cheryl\APPLIC~ 1\README~1 \Sign way.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.e xe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h tm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\ Resource.d ll/RC_AddT oList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\ Resource.d ll/RC_HSPr int.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\ Resource.d ll/RC_Prev iew.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\ Resource.d ll/RC_Prin t.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2 FC0DE4A789 7} - C:\PROGRA~1\Yahoo!\Common\ yiesrvc.dl l
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C 0A14556272 C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {149E45D8-163E-4189-86FC-4 5022AB2B6C 9} (SpinTop DRM Control) - file://C:\Program Files\Family Feud\Images\stg_drm.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-9 7215F77A6B C} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2 D05CB95953 7} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-2 91D84DBD4A 0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0 DDAB3484CF 7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4 DFAD1796A8 D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5 95F0A5519F F} (MsnMessengerSetupDownload Control Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2 2031317559 2} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C 8C4BDA7BAA 6} (CPlayFirstDinerDashContro l Object) - http://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.98.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F 4CA977D564 3} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F 385591623A F} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - AppInit_DLLs: trrqvj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e xe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex e
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e xe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e xe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc. exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcd etect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso \mcshield. exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\age nt\mctsksh d.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Age nt\mcupdmg r.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC S\Sync\Net Svc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter ) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 11598 bytes
I have a machine here that on boot up runs iexplorer.exe with IE being started im assuming that there is some spyware or virus on the machine, however after repeated attempts to clean the machine it stilll does runs iexplorer.exe on start up.
I have run both Avast antivirus and Spybot, I have included the log file from Hijackthis, any help is appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:55 PM, on 11/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
C:\Program Files\Alwil Software\Avast4\ashServ.ex
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
c:\program files\mcafee.com\agent\mcd
c:\PROGRA~1\mcafee.com\age
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
C:\Program Files\Alwil Software\Avast4\ashWebSv.e
C:\WINDOWS\system32\wscntf
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_03\bin
C:\Program Files\Real\RealPlayer\Real
C:\WINDOWS\system32\dla\tf
C:\Program Files\Common Files\InstallShield\Update
C:\PROGRA~1\mcafee.com\age
C:\PROGRA~1\mcafee.com\vso
c:\progra~1\mcafee.com\vso
C:\WINDOWS\system32\hkcmd.
C:\WINDOWS\system32\igfxpe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\ALWILS~1\Avast
C:\WINDOWS\system32\ctfmon
C:\Program Files\DellSupport\DSAgnt.e
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
c:\program files\common files\installshield\update
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\InstallShield\Update
C:\Program Files\iPod\bin\iPodService
C:\Documents and Settings\Administrator\Des
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-1
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-6
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTA
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsc
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotif
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Ford wave.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [online error] C:\DOCUME~1\Cheryl\APPLIC~
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.e
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {00B71CFB-6864-4346-A978-C
O16 - DPF: {149E45D8-163E-4189-86FC-4
O16 - DPF: {14B87622-7E19-4EA8-93B3-9
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-2
O16 - DPF: {6E5E167B-1566-4316-B27F-0
O16 - DPF: {8E0D4DE5-3180-4024-A327-4
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {DC75FEF6-165D-4D25-A518-C
O16 - DPF: {E6187999-9FEC-46A1-A20F-F
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F
O20 - AppInit_DLLs: trrqvj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.e
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.ex
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.e
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.e
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcd
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\age
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Age
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter
--
End of file - 11598 bytes
Hi,
Vundo infection is present. Combofix should deal with this nicely.
Download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html
* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
Vundo infection is present. Combofix should deal with this nicely.
Download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html
* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
LOP is also present, but we should be able to clean that up with a combofix script after.
ASKER
Ive run combofix, I have attached the log file. the problem is still around iexplore.exe running at 100%
What is LOP? and where would I find a script to remove it?
combofixlog.txt
What is LOP? and where would I find a script to remove it?
combofixlog.txt
ASKER
correction iexplore.exe stops running at 100% about 3-5 minutes into start up, it goes down to 0%
ASKER
and its eating about 50Mb of memory without the program itself even running.
Give me a minute and I'll give you the cleanup script.
Here's the script. After running this I would also advise you run MalwareBytes' Anti-Malware, and let it remove whatever is found.
http://www.malwarebytes.org/mbam.php
The script....
1. Open Notepad.
2. Now copy/paste the text between the lines in bold below into the Notepad window:
-------------------------- ---------- ---------- ---------- ---------- ------
File::c:\windows\system32\yuorbb di.ini
c:\windows\Tasks\A9D0099C9 18BBF80.jo b
c:\docume~1\megan\applic~1 \readme~1\ film start cdrom.exe
Folder::c:\program files\readme list soap
c:\documents and settings\Cheryl\Applicatio n Data\readme list soap
c:\program files\Adverts
c:\documents and settings\Megan\Application Data\readme list soap
c:\documents and settings\Lauren\Applicatio n Data\readme list soap
c:\documents and settings\All Users\Application Data\PlayMixBinMode
c:\documents and settings\All Users\Application Data\each new axis loveRegistry::[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run] "axis love poll lite"=-[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\windows] "AppInit_DLLs"=-
-------------------------- ---------- ---------- ---------- ---------- ------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
-A new HijackThis log
http://www.malwarebytes.org/mbam.php
The script....
1. Open Notepad.
2. Now copy/paste the text between the lines in bold below into the Notepad window:
--------------------------
File::c:\windows\system32\yuorbb
c:\windows\Tasks\A9D0099C9
c:\docume~1\megan\applic~1
Folder::c:\program files\readme list soap
c:\documents and settings\Cheryl\Applicatio
c:\program files\Adverts
c:\documents and settings\Megan\Application
c:\documents and settings\Lauren\Applicatio
c:\documents and settings\All Users\Application Data\PlayMixBinMode
c:\documents and settings\All Users\Application Data\each new axis loveRegistry::[HKEY_LOCAL_MACHINE\SOFTWA
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please upload the following reports/logs.
-Combofix.txt
-A new HijackThis log
ASKER
Thanx for the script it ran flawlessly, here are the updated logs you asked for...
CFlog.txt
hijackthislog.txt
CFlog.txt
hijackthislog.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hijackthislog.txt