IE9 opening random instances, possibly triggered by Java?

BigBrownPimpsta · 20 Jul 2012

Hi all,

First post on these forums. I have a really weird issue I am trying to diagnose for a few months now.... at random times I will get flooded with IE windows opening up. It could be while browsing or even if the computer is idle. Sometimes it has gotten to the point it floods my system until it screeches to a halt. And now I am certain it is NOT spyware because I have done the following things:

- Scanned with 5 different antivirus and anti-malware packages
- Checked hijack this for suspicious activity
- Ran numerous memory checks
- Ran the system with minimal applications
- I've built a new computer and this reoccurs!

On my new machine, I finally installed Java for an application that required it and this issue reoccured while I was asleep. I had no issues since the system has been up and running. Only when I installed Java. However, I noticed the issue occurs if IE is open, so the browser does not open by itself but opens more Windows. I scramble to stop it, usually task manager will let me kill all processes and it might stop it. The behavior is very malware like, but I've ruled it out at this point.

My solution to this problem was disabling Java, but it should be enabled. What is the cause of this issue or what can I do to fix it?

karlsnooks · 20 Jul 2012

you very possibly have malware.

Before I continue, your specs do not indicate Win 7 SP1.

Do you have sp 1 installed? Yes or No.

BigBrownPimpsta · 20 Jul 2012

karlsnooks said:

you very possibly have malware.

Before I continue, your specs do not indicate Win 7 SP1.

Do you have sp 1 installed? Yes or No.

Yep, all the latest updates to this week for all drivers and software. This issue has been persisting for a while.

karlsnooks · 20 Jul 2012

Please carry out the following:

# **********************INSTRUCTIONS**************************
# STEP 1 ** RUN POWERSHELL AS ADMINISTRATOR ******************
# ************************************************************
#
# WIN key | type POWERSHELL | do NOT hit ENTER |
# in the PROGRAMS list, right-click on WINDOWS POWERSHELL |
# choose "Run as administrator" |
# Click on the YES button (if such appears)
#
# WIN key = key with Microsoft log on top
#
# for the guru:
# WIN | type POWERSHELL | CTRL+SHIFT+ENTER key combo | ALT+Y keycombo
# ************************************************************
# STEP 2 ** COPY AND PASTE ***********************************
# ************************************************************
#
# COPY the script using CTRL+C,
# COPY every line of script down thru both EXIT statements
#
# PASTE into Powershell
#----Right-Click at the PowerShell Prompt
#----(Ctrl+V does not work)
#
# Start copying with first script line without a # at start of the line
# Note: Actually, you can paste the entire file if you rather
#-------Lines starting with a # are ignored by PowerShell
# ************************************************************
# STEP 3 ** SCRIPT OUTPUT & SCRIPT PURPOSE *******************
# ************************************************************
# --The script output and purpose is given at the very front of the script
#
# --The script output and purpose is given at the very front of the script
#
# ************************************************************
# ***************** NOTE - POWERSHELL VERSION*****************
# if you receive this error msg:
#--The system can not find the path specified
# you may need to update your PowerShell
# you must be using Powershell 2.0 or later.
#
# To determine your Powershell version:
#---Run PowerShell
#---enter $host.version
#---you should see at least:
# Major Minor Build Revision
# ----- ----- ----- --------
# 2......0......-1.....-1
#
# If you do not see the above, update your Vista/Win 7.
# ************************************************************
# *************** NOTE - EXECUTION POLICY*********************
# If you haven't set the execution policy, you may need to:
#---Run PowerShell
#---enter SET-EXECUTIONPOLICY -EXECUTIONPOLICY REMOTESIGNED
# ************************************************************

Script:


# ***********************************************************************
# Puts COMPUTERINFO.TXT on your desktop
# COMPUTERINFO.TXT contains info about your bios and your computer system
# ***********************************************************************

function get-ID { 
  param ([string]$title, [int]$arraycnt, [int]$arrayndx) 
  $id = " " + $title + " "
  If ($arraycnt -ne 1) {$id = $id + [string]$arrayndx + " "}
  $id }
function get-title { param ([string]$id) 
  $hashes = ([int](51 - $id.length)/2)
  $hashstr = '#' * $hashes
  $title = $hashstr + $id + $hashstr
  If ($title.length -le 51) {$title += "#"}
  $title  }
$sterne = "*" * 79
$ossys = @(gwmi win32_operatingsystem)
$ossyscnt = $ossys.count
$ossysid = get-id "WIN" 1 0
$dskvol = @(gwmi win32_volume)
$dskvolcnt = $dskvol.count
$dskarr =@(gwmi win32_diskdrive)
$dskarrcnt = $dskarr.count
$cpu = @(gwmi win32_processor)
$cpucnt = $cpu.count
$mobo = gwmi win32_BaseBoard
$moboid = get-id "MOTHERBOARD" 1 0
$bootcfg = gwmi Win32_BootConfiguration 
$bootid = get-id "BOOT CONFIGURATION" 1 0
$Build = gwmi Win32_WMISetting
$osid = get-id "OS BUILD" 1 0
$CS   = gwmi Win32_ComputerSystem   
$CSprod  = gwmi Win32_ComputerSystemProduct 
$id = get-id "BIOS" 1 0
$csid = get-id "COMPUTER SYSTEM" 1 0
$bios = gwmi win32_bios
$obj = new-object -typename PSobject
$obj | Add-member -membertype noteproperty -name (Get-title $id ) -value $sterne -passthru |
 add-member -membertype noteproperty -name ($id + "Name") -value($bios.name) -passthru |
 add-member -membertype noteproperty -name ($id + "Manufacturer") -value($bios.manufacturer) -passthru|
 add-member -membertype noteproperty -name ($id + "Release Date") -value($bios.converttodatetime($bios.releasedate)) -passthru |
 add-member -membertype noteproperty -name ($id + "Serial Number") -value($bios.SerialNumber) -passthru |
 Add-member -membertype noteproperty -name (Get-title $csid) -value $sterne -passthru |
 add-member -membertype noteproperty -name ($csid + "Manufacturer") -value($cs.manufacturer) -passthru |
 add-member -membertype noteproperty -name ($csid + "Model") -value($cs.model) -passthru |
 add-member -membertype noteproperty -name ($csid + "Primary Owner") -value($cs.primaryownername) -passthru |
 add-member -membertype noteproperty -name ($csid + "Type") -value($cs.systemtype) -passthru |
 add-member -membertype noteproperty -name ($csid + "Total Memory") -value(([string][int]($cs.totalphysicalmemory/1073741824) + " GB")) -passthru |
 add-member -membertype noteproperty -name ($csid + "User Name") -value($cs.username) -passthru |
 add-member -membertype noteproperty -name ($csid + "Product Name") -value($csprod.name) -passthru |
 add-member -membertype noteproperty -name ($csid + "Version") -value($csprod.version) -passthru |
 add-member -membertype noteproperty -name ($csid + "Identifying Number") -value($csprod.identifyingnumber) -passthru |
 add-member -membertype noteproperty -name ($csid + "Vendor") -value($csprod.vendor) -passthru |
 add-member -membertype noteproperty -name ($osID +"Build version") -value($build.BuildVersion) -passthru |
 add-member -membertype noteproperty -name ($bootid + "Boot Directory") -value($bootcfg.bootdirectory) -passthru |
 add-member -membertype noteproperty -name ($bootid + "Last Drive") -value($bootcfg.lastdrive) -passthru |
 add-member -membertype noteproperty -name ($moboID + "Manufacturer") -value($mobo.manufacturer) -passthru |
 add-member -membertype noteproperty -name ($moboid + "Product Type" )     -value($mobo.product) -passthru |
 add-member -membertype noteproperty -name ($moboid + "Serial Number")  -value($mobo.serialnumber)
for ($ndx=1; $ndx -le $ossyscnt; $ndx++) {
  $d = $ossys[$ndx - 1]
  $ossysid = get-id "WIN" $ossyscnt $ndx
 $obj | add-member -membertype noteproperty -name ($ossysid + "Build Number") -value($d.buildnumber) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "OS Version") -value($d.caption) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "Country Code") -value($d.countrycode) -passthru |
## add-member -membertype noteproperty -name ($ossysid + "Service Pack") -value($d.csdversion) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "Install Date") -value($d.converttodatetime($d.installdate))  -passthru |
 add-member -membertype noteproperty -name ($ossysid + "Computer System Name") -value($d.csname) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "Last Bootup") -value($d.converttodatetime($d.lastbootuptime)) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "OS Architecture") -value($d.osarchitecture) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "Registered User") -value($d.registereduser) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "Product ID") -value($d.serialnumber) -passthru |
 add-member -membertype noteproperty -name ($ossysid + "Service Pack Version") -value($d.servicepackmajorversion)
}

for ($ndx=1; $ndx -le $cpucnt; $ndx++) {
  $d = $cpu[$ndx - 1]
  $cpuid = get-id "CPU" $cpucnt $ndx
 $obj | add-member -membertype noteproperty -name ($cpuid + "Current Core Speed") -value([string][int]$d.currentclockspeed + " MHz") -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Current Voltage") -value($d.currentvoltage) -passthru |
 add-member -membertype noteproperty -name ($cpuid + "External Clock") -value($d.extclock) -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Max. Clock Speed") -value([string][int]$d.maxclockspeed + " MHz") -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Manufacturer") -value($d.manufacturer)  -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Name") -value($d.name) -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Description") -value($d.description) -passthru |
 add-member -membertype noteproperty -name ($cpuid + "version") -value($d.version) -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Number of Cores per CPU") -value($d.numberofcores) -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Number of Logical Processors") -value($d.numberoflogicalprocessors) -passthru |
 add-member -membertype noteproperty -name ($cpuid + "Socket Designation") -value($d.socketdesignation)
}
for($ndx=1; $ndx -le $dskarrcnt; $ndx++) {
  $d = $dskarr[$ndx -1];
  $dskarrid = get-id "DISK" $dskarrcnt $ndx
  $obj | Add-member -membertype noteproperty -name (get-title $dskarrid) -value $sterne -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Model") -value($d.model) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Size") -value([string][int]($d.size/1073741824) + " GB") -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Status") -value($d.status) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Capabilities") -value($d.capabilitydescriptions) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Interface Type") -value($d.interfacetype) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Partitions") -value($d.partitions) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Bytespersector") -value($d.bytespersector) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Sectors per track") -value($d.sectorspertrack) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Firmware revision") -value($d.firmwarerevision) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "Device ID") -value($d.deviceid) -passthru |
   add-member -membertype noteproperty -name ($dskarrid + "PNP Device ID") -value($d.pnpdeviceid)
}
function Get-DrvType ($n) {
  switch ([int]$n) {
   2  {$result = "Removable"}
   3  {$result = "Partition"}
   5  {$result = "CDROM"}
   default {$result = "Unknown"}
   } 
  $result
}
for ($ndx=1; $ndx -le $dskvolcnt; $ndx++) {
  $d = $dskvol[$ndx-1]
  $dskvolid = get-id "DISK VOLUME" $dskvolcnt $ndx
  $obj | add-member -membertype noteproperty -name (get-title $dskvolid)  -value $sterne -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Caption") -value($d.caption)  -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Drive Letter") -value($d.driveletter) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Label") -value($d.label) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Capacity") -value([string][int]($d.capacity/1073741824) + " GB") -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Free Space") -value([string][int]($d.freespace/1073741824) + " GB") -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Volume Type") -value(get-drvtype($d.drivetype)) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Boot Volume") -value($d.bootvolume) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "System Volume") -value($d.systemvolume) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Compressed") -value($d.compressed) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Serial Number") -value($d.serialnumber) -passthru |
#  add-member -membertype noteproperty -name ($dskvolid + "Device ID") -value($d.deviceid) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "File System") -value($d.filesystem) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Block Size") -value($d.blocksize) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Indexing Enabled") -value($d.indexingenabled) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Auto Mount") -value($d.automount) -passthru |
  add-member -membertype noteproperty -name ($dskvolid + "Dirty Bit Set") -value($d.dirtybitset)
}
$PhyMemArray = @(gwmi win32_PhysicalMemoryArray)
$cnt = $phymemarray.count
for ($ndx=1; $ndx -le $cnt; $ndx++) {
  $d = $phymemarray[$ndx -1]
  $id = get-id "PHYSICAL MEMORY ARRAY" $cnt $ndx
  $obj | add-member -membertype noteproperty -name ( Get-title $Id ) -value $sterne
  $obj | add-member -membertype noteproperty -name (" Maximum Memory Capacity") -value([string][int]($d.maxcapacity/1048576) + " GB")
  $obj | add-member -membertype noteproperty -name (" Number of Memory Devices") -value($d.memorydevices)
}
$arr = @(gwmi win32_PhysicalMemory)
$cnt = $arr.count
for($i=1; $i -le $cnt; $i++){
  $d = $arr[$i-1]
  $id = get-id "PHYSICAL MEMORY" $cnt $i
  $obj | add-member -membertype noteproperty -name (get-title $id) -value $sterne
  $obj | add-member -membertype noteproperty -name ($id + "Bank Label") -value($d.banklabel)
  $obj | add-member -membertype noteproperty -name ($id + "Capacity") -value([string][int]($d.capacity/1073741824) + " GB")
  $obj | add-member -membertype noteproperty -name ($id + "Data Width") -value($d.datawidth)
  $obj | add-member -membertype noteproperty -name ($id + "Speed") -value($d.speed)
  $obj | add-member -membertype noteproperty -name ($id + "Description") -value($d.description)
  $obj | add-member -membertype noteproperty -name ($id + "Tag") -value($d.tag)
  $obj | add-member -membertype noteproperty -name ($id + "Device Locator") -value($d.devicelocator)
  $obj | add-member -membertype noteproperty -name ($id + "Manufacturer") -value($d.manufacturer)
  $obj | add-member -membertype noteproperty -name ($id + "Part Number") -value($d.partnumber)
  $obj | add-member -membertype noteproperty -name ($id + "Serial Number") -value($d.serialnumber)
}
$Arr = @(gwmi win32_cachememory)
$cnt = $arr.count
for($i=1; $i -le $cnt; $i++){
  $d = $arr[$i-1];
  $id = get-id "CACHE MEMORY" $cnt $i
  $obj | add-member -membertype noteproperty -name (get-title $id) -value $sterne
  $obj | add-member -membertype noteproperty -name ($id + "Name") -value($d.name)
  $obj | add-member -membertype noteproperty -name ($id + "Device ID") -value($d.deviceid)
  $obj | add-member -membertype noteproperty -name ($id + "Purpose") -value($d.purpose)
  $obj | add-member -membertype noteproperty -name ($id + "Block Size") -value($d.blocksize)
  $obj | add-member -membertype noteproperty -name ($id + "Installed Size") -value($d.installedsize)
  $obj | add-member -membertype noteproperty -name ($id + "Max Cache Size") -value($d.maxcachesize)
  $obj | add-member -membertype noteproperty -name ($id + "Number of Blocks") -value($d.numberofblocks)
  $obj | add-member -membertype noteproperty -name ($id + "Status") -value($d.status)
}
$Arr = @(gwmi win32_memoryarray)
$cnt = $arr.count
for($i=1; $i -le $cnt; $i++){
  $d = $arr[$i-1];
  $id = get-id "MEMORY ARRAY" $CNT $I
  $obj | add-member -membertype noteproperty -name (get-title $id) -value $sterne
  $obj | add-member -membertype noteproperty -name ($id + "Description") -value($d.description)
  $obj | add-member -membertype noteproperty -name ($id + "Device ID") -value($d.deviceid)
  $obj | add-member -membertype noteproperty -name ($id + "Starting Address") -value($d.startingaddress)
  $obj | add-member -membertype noteproperty -name ($id + "Ending Address") -value($d.endingaddress)
}
$Arr = @(gwmi win32_memorydevice)
$cnt = $arr.count
for($i=1; $i -le $cnt; $i++){
  $d = $arr[$i-1];
  $id = get-id "MEMORY DEVICE" $cnd $i
  $obj | add-member -membertype noteproperty -name (get-title $id) -value $sterne
  $obj | add-member -membertype noteproperty -name ($id + "Description") -value($d.description)
  $obj | add-member -membertype noteproperty -name ($id + "Device ID") -value($d.deviceid)
  $obj | add-member -membertype noteproperty -name ($id + "Starting Address") -value($d.startingaddress)
  $obj | add-member -membertype noteproperty -name ($id + "Ending Address") -value($d.endingaddress)
}
$obj  > $env:userprofile\desktop\COMPUTERINFO.TXT

EXIT
EXIT

==================================================
Select all of that script then use Ctrl + C to copy. Then you can just right-click in Powershell to paste it in.

BigBrownPimpsta · 20 Jul 2012

As I said before, I have run numerous scans on every single drive with 5 different pieces of software such as Nod32, MSE, Combofix, Malwarebytes, Superantispyare, Spybot. Not one threat came up, so I am PRETTY sure there is no malware. I have also monitored abnormal processes when it occurs, and it's only iexplore.exe with multiple instances, and maybe a few conhost.exe instances (nothing abnormal). Again, I stress since Java has been disabled this is not occuring.

Here's my powershell script output

###################### BIOS ####################### : ****************************************************************
***************
BIOS Name : BIOS Date: 05/24/12 14:37:18 Ver: 12.03
BIOS Manufacturer : American Megatrends Inc.
BIOS Release Date : 23/05/2012 8:00:00 PM
BIOS Serial Number : System Serial Number
################# COMPUTER SYSTEM ################## : ****************************************************************
***************
COMPUTER SYSTEM Manufacturer : System manufacturer
COMPUTER SYSTEM Model : System Product Name
COMPUTER SYSTEM Primary Owner : Summet
COMPUTER SYSTEM Type : x64-based PC
COMPUTER SYSTEM Total Memory : 32 GB
COMPUTER SYSTEM User Name : Summet-PC\Summet
COMPUTER SYSTEM Product Name : System Product Name
COMPUTER SYSTEM Version : System Version
COMPUTER SYSTEM Identifying Number : System Serial Number
COMPUTER SYSTEM Vendor : System manufacturer
OS BUILD Build version : 7601.17514
BOOT CONFIGURATION Boot Directory : C:\Windows
BOOT CONFIGURATION Last Drive : I:
MOTHERBOARD Manufacturer : ASUSTeK COMPUTER INC.
MOTHERBOARD Product Type : P9X79 DELUXE
MOTHERBOARD Serial Number :
WIN Build Number : 7601
WIN OS Version : Microsoft Windows 7 Ultimate
WIN Country Code : 2
WIN Install Date : 07/07/2012 10:35:52 PM
WIN Computer System Name : SUMMET-PC
WIN Last Bootup : 18/07/2012 7:14:07 PM
WIN OS Architecture : 64-bit
WIN Registered User : Summet
WIN Product ID :
WIN Service Pack Version : 1
CPU Current Core Speed : 3201 MHz
CPU Current Voltage : 10
CPU External Clock : 100
CPU Max. Clock Speed : 3201 MHz
CPU Manufacturer : GenuineIntel
CPU Name : Intel(R) Core(TM) i7-3930K CPU @ 3.20GHz
CPU Description : Intel64 Family 6 Model 45 Stepping 7
CPU version :
CPU Number of Cores per CPU : 6
CPU Number of Logical Processors : 12
CPU Socket Designation : LGA2011
###################### DISK 1 ###################### : ****************************************************************
***************
DISK 1 Model : ST3640323AS ATA Device
DISK 1 Size : 596 GB
DISK 1 Status : OK
DISK 1 Capabilities : {Random Access, Supports Writing}
DISK 1 Interface Type : IDE
DISK 1 Partitions : 1
DISK 1 Bytespersector : 512
DISK 1 Sectors per track : 63
DISK 1 Firmware revision : SD13
DISK 1 Device ID : \\.\PHYSICALDRIVE0
DISK 1 PNP Device ID : IDE\DISKST3640323AS_____________________________SD13____\6&39FFB
3C8&0&0.0.0
###################### DISK 2 ###################### : ****************************************************************
***************
DISK 2 Model : ATA INTEL SSDSC2CW18 SCSI Disk Device
DISK 2 Size : 168 GB
DISK 2 Status : OK
DISK 2 Capabilities : {Random Access, Supports Writing}
DISK 2 Interface Type : SCSI
DISK 2 Partitions : 2
DISK 2 Bytespersector : 512
DISK 2 Sectors per track : 63
DISK 2 Firmware revision : 400i
DISK 2 Device ID : \\.\PHYSICALDRIVE1
DISK 2 PNP Device ID : SCSI\DISK&VEN_ATA&PROD_INTEL_SSDSC2CW18\4&2A9518A8&0&000000
###################### DISK 3 ###################### : ****************************************************************
***************
DISK 3 Model : ATA ST3640323AS SCSI Disk Device
DISK 3 Size : 596 GB
DISK 3 Status : OK
DISK 3 Capabilities : {Random Access, Supports Writing}
DISK 3 Interface Type : SCSI
DISK 3 Partitions : 1
DISK 3 Bytespersector : 512
DISK 3 Sectors per track : 63
DISK 3 Firmware revision : SD13
DISK 3 Device ID : \\.\PHYSICALDRIVE2
DISK 3 PNP Device ID : SCSI\DISK&VEN_ATA&PROD_ST3640323AS\4&2A9518A8&0&010000
################## DISK VOLUME 1 ################### : ****************************************************************
***************
DISK VOLUME 1 Caption : D:\
DISK VOLUME 1 Drive Letter : D:
DISK VOLUME 1 Label : Local Disk (Data)
DISK VOLUME 1 Capacity : 596 GB
DISK VOLUME 1 Free Space : 249 GB
DISK VOLUME 1 Volume Type : Partition
DISK VOLUME 1 Boot Volume : False
DISK VOLUME 1 System Volume : False
DISK VOLUME 1 Compressed : False
DISK VOLUME 1 Serial Number : 3730156393
DISK VOLUME 1 File System : NTFS
DISK VOLUME 1 Block Size : 4096
DISK VOLUME 1 Indexing Enabled : True
DISK VOLUME 1 Auto Mount : True
DISK VOLUME 1 Dirty Bit Set :
################## DISK VOLUME 2 ################### : ****************************************************************
***************
DISK VOLUME 2 Caption : C:\
DISK VOLUME 2 Drive Letter : C:
DISK VOLUME 2 Label :
DISK VOLUME 2 Capacity : 167 GB
DISK VOLUME 2 Free Space : 48 GB
DISK VOLUME 2 Volume Type : Partition
DISK VOLUME 2 Boot Volume : True
DISK VOLUME 2 System Volume : False
DISK VOLUME 2 Compressed : False
DISK VOLUME 2 Serial Number :
DISK VOLUME 2 File System : NTFS
DISK VOLUME 2 Block Size : 4096
DISK VOLUME 2 Indexing Enabled : True
DISK VOLUME 2 Auto Mount : True
DISK VOLUME 2 Dirty Bit Set :
################## DISK VOLUME 3 ################### : ****************************************************************
***************
DISK VOLUME 3 Caption : E:\
DISK VOLUME 3 Drive Letter : E:
DISK VOLUME 3 Label : Local Disk (Media)
DISK VOLUME 3 Capacity : 596 GB
DISK VOLUME 3 Free Space : 124 GB
DISK VOLUME 3 Volume Type : Partition
DISK VOLUME 3 Boot Volume : False
DISK VOLUME 3 System Volume : False
DISK VOLUME 3 Compressed : False
DISK VOLUME 3 Serial Number :
DISK VOLUME 3 File System : NTFS
DISK VOLUME 3 Block Size : 4096
DISK VOLUME 3 Indexing Enabled : True
DISK VOLUME 3 Auto Mount : True
DISK VOLUME 3 Dirty Bit Set :
################## DISK VOLUME 4 ################### : ****************************************************************
***************
DISK VOLUME 4 Caption : H:\
DISK VOLUME 4 Drive Letter : H:
DISK VOLUME 4 Label :
DISK VOLUME 4 Capacity : 0 GB
DISK VOLUME 4 Free Space : 0 GB
DISK VOLUME 4 Volume Type : CDROM
DISK VOLUME 4 Boot Volume :
DISK VOLUME 4 System Volume :
DISK VOLUME 4 Compressed :
DISK VOLUME 4 Serial Number :
DISK VOLUME 4 File System :
DISK VOLUME 4 Block Size :
DISK VOLUME 4 Indexing Enabled :
DISK VOLUME 4 Auto Mount : True
DISK VOLUME 4 Dirty Bit Set :
################## DISK VOLUME 5 ################### : ****************************************************************
***************
DISK VOLUME 5 Caption : I:\
DISK VOLUME 5 Drive Letter : I:
DISK VOLUME 5 Label :
DISK VOLUME 5 Capacity : 0 GB
DISK VOLUME 5 Free Space : 0 GB
DISK VOLUME 5 Volume Type : CDROM
DISK VOLUME 5 Boot Volume :
DISK VOLUME 5 System Volume :
DISK VOLUME 5 Compressed :
DISK VOLUME 5 Serial Number :
DISK VOLUME 5 File System :
DISK VOLUME 5 Block Size :
DISK VOLUME 5 Indexing Enabled :
DISK VOLUME 5 Auto Mount : True
DISK VOLUME 5 Dirty Bit Set :
################## DISK VOLUME 6 ################### : ****************************************************************
***************
DISK VOLUME 6 Caption : F:\
DISK VOLUME 6 Drive Letter : F:
DISK VOLUME 6 Label : Sonic Generation
DISK VOLUME 6 Capacity : 8 GB
DISK VOLUME 6 Free Space : 0 GB
DISK VOLUME 6 Volume Type : CDROM
DISK VOLUME 6 Boot Volume : False
DISK VOLUME 6 System Volume : False
DISK VOLUME 6 Compressed :
DISK VOLUME 6 Serial Number :
DISK VOLUME 6 File System : CDFS
DISK VOLUME 6 Block Size : 2048
DISK VOLUME 6 Indexing Enabled :
DISK VOLUME 6 Auto Mount : True
DISK VOLUME 6 Dirty Bit Set : False
############## PHYSICAL MEMORY ARRAY ############### : ****************************************************************
***************
Maximum Memory Capacity : 512 GB
Number of Memory Devices : 8
################ PHYSICAL MEMORY 1 ################# : ****************************************************************
***************
PHYSICAL MEMORY 1 Bank Label : ChannelA
PHYSICAL MEMORY 1 Capacity : 8 GB
PHYSICAL MEMORY 1 Data Width : 64
PHYSICAL MEMORY 1 Speed : 1600
PHYSICAL MEMORY 1 Description : Physical Memory
PHYSICAL MEMORY 1 Tag : Physical Memory 0
PHYSICAL MEMORY 1 Device Locator : ChannelA_Dimm1
PHYSICAL MEMORY 1 Manufacturer : Corsair
PHYSICAL MEMORY 1 Part Number : CML16GX3M2A1600C1
PHYSICAL MEMORY 1 Serial Number : 00000000
################ PHYSICAL MEMORY 2 ################# : ****************************************************************
***************
PHYSICAL MEMORY 2 Bank Label : ChannelB
PHYSICAL MEMORY 2 Capacity : 8 GB
PHYSICAL MEMORY 2 Data Width : 64
PHYSICAL MEMORY 2 Speed : 1600
PHYSICAL MEMORY 2 Description : Physical Memory
PHYSICAL MEMORY 2 Tag : Physical Memory 2
PHYSICAL MEMORY 2 Device Locator : ChannelB_Dimm1
PHYSICAL MEMORY 2 Manufacturer : Corsair
PHYSICAL MEMORY 2 Part Number : CML16GX3M2A1600C1
PHYSICAL MEMORY 2 Serial Number : 00000000
################ PHYSICAL MEMORY 3 ################# : ****************************************************************
***************
PHYSICAL MEMORY 3 Bank Label : ChannelC
PHYSICAL MEMORY 3 Capacity : 8 GB
PHYSICAL MEMORY 3 Data Width : 64
PHYSICAL MEMORY 3 Speed : 1600
PHYSICAL MEMORY 3 Description : Physical Memory
PHYSICAL MEMORY 3 Tag : Physical Memory 4
PHYSICAL MEMORY 3 Device Locator : ChannelC_Dimm1
PHYSICAL MEMORY 3 Manufacturer : Corsair
PHYSICAL MEMORY 3 Part Number : CML16GX3M2A1600C1
PHYSICAL MEMORY 3 Serial Number : 00000000
################ PHYSICAL MEMORY 4 ################# : ****************************************************************
***************
PHYSICAL MEMORY 4 Bank Label : ChannelD
PHYSICAL MEMORY 4 Capacity : 8 GB
PHYSICAL MEMORY 4 Data Width : 64
PHYSICAL MEMORY 4 Speed : 1600
PHYSICAL MEMORY 4 Description : Physical Memory
PHYSICAL MEMORY 4 Tag : Physical Memory 6
PHYSICAL MEMORY 4 Device Locator : ChannelD_Dimm1
PHYSICAL MEMORY 4 Manufacturer : Corsair
PHYSICAL MEMORY 4 Part Number : CML16GX3M2A1600C1
PHYSICAL MEMORY 4 Serial Number : 00000000
################## CACHE MEMORY 1 ################## : ****************************************************************
***************
CACHE MEMORY 1 Name : Cache Memory
CACHE MEMORY 1 Device ID : Cache Memory 0
CACHE MEMORY 1 Purpose : L1-Cache
CACHE MEMORY 1 Block Size : 1024
CACHE MEMORY 1 Installed Size : 32
CACHE MEMORY 1 Max Cache Size : 32
CACHE MEMORY 1 Number of Blocks : 32
CACHE MEMORY 1 Status : OK
################## CACHE MEMORY 2 ################## : ****************************************************************
***************
CACHE MEMORY 2 Name : Cache Memory
CACHE MEMORY 2 Device ID : Cache Memory 1
CACHE MEMORY 2 Purpose : L2-Cache
CACHE MEMORY 2 Block Size : 1024
CACHE MEMORY 2 Installed Size : 256
CACHE MEMORY 2 Max Cache Size : 256
CACHE MEMORY 2 Number of Blocks : 256
CACHE MEMORY 2 Status : OK
################## CACHE MEMORY 3 ################## : ****************************************************************
***************
CACHE MEMORY 3 Name : Cache Memory
CACHE MEMORY 3 Device ID : Cache Memory 2
CACHE MEMORY 3 Purpose : L3-Cache
CACHE MEMORY 3 Block Size : 1024
CACHE MEMORY 3 Installed Size : 12288
CACHE MEMORY 3 Max Cache Size : 12288
CACHE MEMORY 3 Number of Blocks : 12288
CACHE MEMORY 3 Status : OK
################## MEMORY ARRAY ################### : ****************************************************************
***************
MEMORY ARRAY Description : Memory Array
MEMORY ARRAY Device ID : Memory Array 0
MEMORY ARRAY Starting Address : 0
MEMORY ARRAY Ending Address : 33554431
################# MEMORY DEVICE 1 ################## : ****************************************************************
***************
MEMORY DEVICE 1 Description : Memory Device
MEMORY DEVICE 1 Device ID : Memory Device 0
MEMORY DEVICE 1 Starting Address : 0
MEMORY DEVICE 1 Ending Address : 8388607
################# MEMORY DEVICE 2 ################## : ****************************************************************
***************
MEMORY DEVICE 2 Description : Memory Device
MEMORY DEVICE 2 Device ID : Memory Device 1
MEMORY DEVICE 2 Starting Address : 8388608
MEMORY DEVICE 2 Ending Address : 16777215
################# MEMORY DEVICE 3 ################## : ****************************************************************
***************
MEMORY DEVICE 3 Description : Memory Device
MEMORY DEVICE 3 Device ID : Memory Device 2
MEMORY DEVICE 3 Starting Address : 16777216
MEMORY DEVICE 3 Ending Address : 25165823
################# MEMORY DEVICE 4 ################## : ****************************************************************
***************
MEMORY DEVICE 4 Description : Memory Device
MEMORY DEVICE 4 Device ID : Memory Device 3
MEMORY DEVICE 4 Starting Address : 25165824
MEMORY DEVICE 4 Ending Address : 33554431

karlsnooks · 20 Jul 2012

Now I'm not going to make you happy, but all of that anti-malware software of yours can be avoided very easily by some very malicious software.

With that said, I need you to carry out this procedure and be sure that each and everyone of your drives are scanned.

WDO, from Microsoft, is an offline program which means that your Win 7 is never fired up, thus not allowing the bad guys to take advantage of the massive number of win 7 components that they hook into.

When you complete this procedure, let me know and I've got another script which gives me info about what wdo did and found. If WDO finds something, then delete it.

HOW TO USE WINDOWS DEFENDER OFFLINE ON A USB STICK
Windows Defender Offline
· is a free standalone, bootable malware and virus remover from Microsoft.
· performs an offline scan of an infected PC to remove viruses, rootkits and other advanced malware.

Download Windows Defender Offline (about 764 kB)

You will have the choice of downloading the 32bit version (x86) or the 64 bit version (x64).
The link will help you determine whether you are running a 32 bit version or 64 bit version of Windows

NOTE!! You can download and prepare a 32 bit version using a 64 bit version of Windows
NOTE!! You can download and prepare a 64 bit version using a 32bit version of Windows.

You run the 32 bit version on a 32 bit version of Windows.
You run the 64 bit version on a 64 bit version of Windows.

The 32 bit download file name is: mssstool32.exe
The 64 bit download file name is: mssstool64.exe

For the curious, this program was originally name Microsoft Standalone System Sweeper.

INSTALLATION:
You will need an Internet Connection.
Insert 512 mB (Microsoft’s 256 mB is no longer accurate) or larger USB stick into a usb port.
Run the downloaded program--mssstool64.exe or mssstool32.exe
NEXT button
Choose the option On a USB flash drive that is not password protected
NEXT button
NEXT button
.
The install program will format the usb stick using the NTFS format.
The install program will download about 210 mB.
The install program will name the USB stick WDO_Media32 or WDO_Media64
The WDO_Media32 usb stick will have used space of 255 mB (268,140,544 bytes)
The WDO_Media64 usb stick will have used space of 282 mB (296,165,376 bytes)
You can expect the number of mB to increase as more malware appears.

UPDATE Windows Defender Offline USB stick:
· reinsert the usb stick
· run the installation program, mssstool64.exe or mssstool32.exe, again.
· the update will download about 66 mB (mssstool32.exe) and 68 mB (mssstool64.exe).

Since the malware database is sometimes updated several times in a day, always update before running.

PERFORM AN OFFLINE SCAN
Bootup your computer from the USB stick
Windows Defender Offline will automatically perform a quick scan.
After the quick scan finishes, Choose Full Scan
Select all of your drives

The initial, full scan can easily take several hours, but
Remember, your computer is being very thoroughly checked for all types of malware.

BigBrownPimpsta · 20 Jul 2012

karlsnooks said:

Now I'm not going to make you happy, but all of that anti-malware software of yours can be avoided very easily by some very malicious software.

With that said, I need you to carry out this procedure and be sure that each and everyone of your drives are scanned.

WDO, from Microsoft, is an offline program which means that your Win 7 is never fired up, thus not allowing the bad guys to take advantage of the massive number of win 7 components that they hook into.

When you complete this procedure, let me know and I've got another script which gives me info about what wdo did and found. If WDO finds something, then delete it.

HOW TO USE WINDOWS DEFENDER OFFLINE ON A USB STICK
Windows Defender Offline
· is a free standalone, bootable malware and virus remover from Microsoft.
· performs an offline scan of an infected PC to remove viruses, rootkits and other advanced malware.

Download Windows Defender Offline (about 764 kB)

You will have the choice of downloading the 32bit version (x86) or the 64 bit version (x64).
The link will help you determine whether you are running a 32 bit version or 64 bit version of Windows

NOTE!! You can download and prepare a 32 bit version using a 64 bit version of Windows
NOTE!! You can download and prepare a 64 bit version using a 32bit version of Windows.

You run the 32 bit version on a 32 bit version of Windows.
You run the 64 bit version on a 64 bit version of Windows.

The 32 bit download file name is: mssstool32.exe
The 64 bit download file name is: mssstool64.exe

For the curious, this program was originally name Microsoft Standalone System Sweeper.

INSTALLATION:
You will need an Internet Connection.
Insert 512 mB (Microsoft’s 256 mB is no longer accurate) or larger USB stick into a usb port.
Run the downloaded program--mssstool64.exe or mssstool32.exe
NEXT button
Choose the option On a USB flash drive that is not password protected
NEXT button
NEXT button
.
The install program will format the usb stick using the NTFS format.
The install program will download about 210 mB.
The install program will name the USB stick WDO_Media32 or WDO_Media64
The WDO_Media32 usb stick will have used space of 255 mB (268,140,544 bytes)
The WDO_Media64 usb stick will have used space of 282 mB (296,165,376 bytes)
You can expect the number of mB to increase as more malware appears.

UPDATE Windows Defender Offline USB stick:
· reinsert the usb stick
· run the installation program, mssstool64.exe or mssstool32.exe, again.
· the update will download about 66 mB (mssstool32.exe) and 68 mB (mssstool64.exe).

Since the malware database is sometimes updated several times in a day, always update before running.

PERFORM AN OFFLINE SCAN
Bootup your computer from the USB stick
Windows Defender Offline will automatically perform a quick scan.
After the quick scan finishes, Choose Full Scan
Select all of your drives

The initial, full scan can easily take several hours, but
Remember, your computer is being very thoroughly checked for all types of malware.

I'll give this one a shot, and I'm familiar it can skip all of those pieces of software. The issue has also occured to let you know with neither of my drives plugged in where the virus could be. Anyways, I'll try this one later and get back at you and know it takes it a while.

karlsnooks · 20 Jul 2012

I'll await the report that you have run a full scan by wdo over all of your drives.