We help IT Professionals succeed at work.

how to stop iexplore from continuing to open and lock up my system

Rebol
Rebol asked
on
i am working on a pc for a client that is/was infected with malware, symtoms: all files from C:\ disappeared, nothing in start menu etc.  i started it in safe mode with networking, copied Malware bytes, rkill, combofix, roguekiller, unhide.exe, and the registry fix to reassociate .exe files to the hard drive. i then copied the contents of the smtemp folder (all the star menu links, that get removed by the virus etc.) to a jump drive for safe keeping because i have seen this directory get deleted during the cleaning process and then you are really screwed. i then ran (from safe mode with networking rkill.exe, followed by Malware Bytes several times until no more objects are found (rebooting inbetween and rerunning rkill first thing after the reboot). then i ran combo fix, and roguekiller, then unhide. after that i replaced all the start menu links. all seemed ok so i booted into regular mode, the pc seemed to lock up for about 10 seconds at a time then un freeze for about a second or two then do it again, i noticed that iexplore was running in task manager processes, when i had not started internet explorer at all, so i killed it, and it would come back a few seconds later. i also noticed that the icons for all of the tools i had used had what looked like the windows security center shield in the lower right corner of the icon, i have seen this plenty of time before caused by malware when it attacks these types of apps. i then ran the only version of rkill that didn't have the shield on the icon (i have several versions of rkill, rkill.exe, rkill.com, rkill.scr etc. that way a virus doesn't recognize it, well it worked here. rkill reported that (\\?\C:\Windows\system32\wbem\WMIADAP.EXE was running and terminated. so to sum up i still have some kind of infection and i guess i need a different scanner to get it, any suggestions? i have used bit defender and bit defender online scanner in the past but i have had very little luck getting the first one to even install and the online scanner to find anything at all the last several times i have tried it. i will attemp to rerun Malwarebytes after the rkill found that file, but i am not too confident in it since it has been marked by the malware (the shield on the icon). thanks for any input guys.
Comment
Watch Question

Commented:
remember that sometimes a virus will corrupt files....
have you tried "system file checker" ?  SFC /scannow or /scanonce to scan all protected system files at the next system start...
I just dealt with the same thing last week and I had to use SuperAntiSpyware to get rid of it. Symantec identified the infection as trojan.maljava. There were leftover files in the user's application data folder that were causing it to relaunch on login. Login as another user and rename the profile folder so a clean one gets created on the next boot.
Also try not running in safe mode. All those utils do better in normal mode. I used the.new profile trick b4 as mentioned above & it worked like a charm.

Commented:
yes run a tool like the free avg live cd to see if virus's / malware still is on the system as I suspect it is
thats the way IU do virus scanning these days as to many virus's defeat decent anti virus tools and getting windows out of the way means better prospects of finding the buggers
Distinguished Expert 2019
Commented:
since you had a nasty corruption -  i would install everything fresh - will be faster and better in the long run

1) before you run any virus scan, make sure to disable System restore first
XP:
http://support.microsoft.com/kb/310405

7:
http://www.nirmaltv.com/2009/03/14/how-to-enable-or-disable-system-restore-in-windows-7/

2) sometimes, it is recommended to rename any antivirus or scanner you have to any thing like abc.exe then place them to the system you want to scan. As some virues may recognize the name and try to block the application from ruuning

3) then run the scan

Note: to get optimum cleaning result, better to do the above steps on Safe mode
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Two common issues with firelines recommendation:
Do NOT disable system restore. Though the virus/malware can be contained in restore data, it won't come back from there unless you do a System Restore. Malware checkers are able to check restore points, so there is no reason to disable them, and hence remove any chance you can go back to an earlier, maybe uninfected, state, or rolll back unsuccessful desinfection attempts.
Scans should always happen in normal mode, not Safe mode, unless you are not able to boot into normal mode anymore. Many malware is only found when not running in Safe mode.

Author

Commented:
ok i have tried all of these, except the fresh reload, which is not an option i hope to use since this client doesn't have their reload disks. i think i have removed several different infections but there is still atleast one left, a redirector. i know combo fix has been able to remove these in the past but i have two issues with it, one is the moment i copy the exe to the pc a security center looking sheild appears on the icon, which as previously stated i believe to be from the malware. also when i run it it says it needs admin rights to complete, i have tried to run it logged in as the admin, starting the command prompt "as admin" and even using the command line to run the app with admin rights and yet it still says it needs admin rights to run properly. i can only assume it has been compromised. does anyone know of a different scanner that works well with redirecting malware that i can try? (on a side note, many people say to run the anti malware apps in regular mode, yet this is what happens virtually every time when i do. since most viruses don't run in safe mode wouldn't it be better advice to have people first try to clean them in safe mode and if it doesn't work then go to regular mode? i have cleaned many machines completely from safe mode. so this confuses me. at very least it seems like unsound advice. I am not trying to "bite the hand that feeds me" here, it just doesn't seem logical and im trying to understand.)
Read younghv's article on best practices for fighting Malware, it delineates the problems with doing scans in safe mode.

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Running ComboFix might be available if you rename it before or while copying.

Author

Commented:
ok, i really appreciate all the advice, but  unfortunately nothing has worked against this rootkit trojan virus. it just keeps coing back, or other variations keep coming back, luckily i have been given another option, my client found their reload disks, so i can just wipe out this PC and rebuild it. so i guess the points should go to the one who suggested that even though that is always the last answer and didn't really fix the problem so much as to side step it, none of the other fixes worked so it seems to be the most fair

Author

Commented:
thanks
Distinguished Expert 2019

Commented:
that is  what i do in similar cases - tx for feedback