Explorer.exe causes Iexplore to open multiple instances and high mem

gregrocker said:

Did you start a fresh thread in Security forum and google for specialized tools for that infection? They don't always check More Help Needed.

I am starting a new thread there now. Google has few results and I am suspicious of Comodo's answer as far as this particular infection. Could it be a cidoxVBR-A infection? Maybe but there is so little available on the search engines it is either really fresh or impossible to clean. Neither answer makes me feel too hopeful.

I am of a state of mind to start fresh and look at the logs again with a clear head and see if anything stands out. Obviously Malwarebytes see's something going on just not what it is. There is so little about IE multiple instances and memory over run.

mohavepc said:

gregrocker said:

Did you start a fresh thread in Security forum and google for specialized tools for that infection? They don't always check More Help Needed.

I am starting a new thread there now. Google has few results and I am suspicious of Comodo's answer as far as this particular infection. Could it be a cidoxVBR-A infection? Maybe but there is so little available on the search engines it is either really fresh or impossible to clean. Neither answer makes me feel too hopeful.

I am of a state of mind to start fresh and look at the logs again with a clear head and see if anything stands out. Obviously Malwarebytes see's something going on just not what it is. There is so little about IE multiple instances and memory over run.

Without running the risk of repeating myself I would run this first
http://support.kaspersky.com/4162 it will run form power up and avoid he Windows system as such.

ICit2lol said:

mohavepc said:

gregrocker said:

Did you start a fresh thread in Security forum and google for specialized tools for that infection? They don't always check More Help Needed.

I am starting a new thread there now. Google has few results and I am suspicious of Comodo's answer as far as this particular infection. Could it be a cidoxVBR-A infection? Maybe but there is so little available on the search engines it is either really fresh or impossible to clean. Neither answer makes me feel too hopeful.

I am of a state of mind to start fresh and look at the logs again with a clear head and see if anything stands out. Obviously Malwarebytes see's something going on just not what it is. There is so little about IE multiple instances and memory over run.

Without running the risk of repeating myself I would run this first
Download Kaspersky Rescue Disk 10 it will run form power up and avoid he Windows system as such.

No problem my friend. I have run the following live cd's. Kaspersky rescue, AVG Rescue, Bit Defender rescue, Norton Rescue. All of which do not see an infection. all scans are clean. I am running rkill right now so I can look at the logs. Mbam full scan with rootkits found 4) forged physical sectors so it is definitely a rootkit involved.

Hi,
Did you scan all drives and all partitions with custom and rootkits ?
Post all scan reports here and on your new thread if created ?

Ok well GMER is fairly hefty for a scan though I have not run one for a long time you need to be careful with it
GMER - Rootkit Detector and Remover

ThrashZone said:

Hi,
Did you scan all drives and all partitions with custom and rootkits ?
Post all scan reports here and on your new thread if created ?

Thrash I am having an issue with time on this and when I was trying to create a new thread in security It timed out 3 times and would not let it post. I am going to restore this machine right now so I will be offline a few hours. I am thinking that the infected machines hard drive might have infected this one when I scanned the drive. I'll be back later. if it isn't one thing its another.

Hi all I got the S.O.B. out. Turns out I got a call from another tech here in town that has also run into this issue. after collaborating for an hour we hit on the answer. It worked for Both of us but there is a trick. Kaspersky Rescue needs to be run first. It may or may not show an issue. (mine did not but his shows minor Java issues). Then boot in safe mode with networking. Run Hitman pro. Now this seems to be a 64bit infection only. The way I figured that out is that if I kill all instances of IExplore And Explore.exe the machine mellowed out. I could then open the 32 bit version of IExplore without issue. However If I opened the 64bit version of IExplore the infection took off trying to call home again

Hitman pro was able to see a file that was in the MBR pointing to the CidoxVGR-A with a Kaspersky Icon and marked for repair.
Now why Kaspersky didn't show it or try to repair must have to do with the rootkit itself somehow. I have contacted MS and Kaspersky with the logs to see if it can be caught faster. Now all I have to do is repair the damage to IExplore and we are good.

gregrocker said:

File in the MBR? Isn't MBR code? You mean in hidden System partition? Not scanned due to hidden? Found in memory?

You are correct Greg however that is how Hitman pro listed it. I will run hitman again on another machine that is acting the same way and get a screenshot for you. I am also going to write a tutorial for brink to look at on this pita. hitman says mbr infected, the options are ignore, replace, add exception.

**edit**
I ran hitman on this machine(my main one) and found the cidoxVBR-a as well but it had not infected the coding of the mbr as yet probably because I haven't rebooted yet. I will run hitman again after I reboot to be sure
**end edit**