Solved Explorer.exe causes Iexplore to open multiple instances and high mem

[mohavepc]

This is a shot from the Bitdefender scan. these are the I/O errors it lists so far.
this scan runs in Linux live cd so it really should not have any permission errors right?
*sigh* looking bad right now. I hate having to tell them this kind of news.
Seagate reported no issues with the drive after 2 runs each of the short and long dst.

 

[ICIT2LOL]

Well for my two cents worth try these if you haven't already

http://www.superantispyware.com/

http://www.malwarebytes.org/products/malwarebytes_free/

http://www.bleepingcomputer.com/download/adwcleaner/

download from bleeping computer – delete any rubbishthese find.

If these do not come up with anything try one of these



KASPERSKY RESCUE DISK

Download Kaspersky Rescue Disk 10

You will need to make a bootable disk > set the BIOS toboth from either the optical (my preferred way) or a USB stick - again asyou are having problems there stay with the optical. The rest I haven'tyet tested yet so am not sure how good they are and I run paid for Kaspersky onall my machines anyway.

What this will do is to scan from power on and checkliterally everything as it starts up.

Now it does take a fair while to run but just may picksome rubbish malware on it's way into the system.

There are the rootkit scans too any one of these but the TDSS Killer is the usual one to go with.
Five free portable rootkit removers - TechRepublic

One can go on to heavier stuff too but try thee first.

 

[ThrashZone]

Hi,
In malwarebytes there's the option to search for rootkits Settings/ Detection and Protection/ Check the box to scan for rootkits,
Then Scan Custom scan !
Use the Custom scan and make sure rootkits is activated be also sure you don't use the machine during the can be very long scan
http://www.sevenforums.com/tutorials/338716-malwarebytes-anti-malware-free.html

 

[ICIT2LOL]

Hi,
In malwarebytes there's the option to search for rootkits Settings/ Detection and Protection/ Check the box to scan for rootkits,
Then Scan Custom scan !
Use the Custom scan and make sure rootkits is activated be also sure you don't use the machine during the can be very long scan
http://www.sevenforums.com/tutorials/338716-malwarebytes-anti-malware-free.html

Mmm TZ must check my settings as I just plonked the paid for on some time ago and didn't think to check them out

 

[ThrashZone]

Hi,
Yea I thought Bill's tutorial I posted walked through that part but he doesn't
It's a pretty long scan with rootkits enabled on a custom scan so be ready to sit for a while

 

[ICIT2LOL]

Checked mine out and it set up by default I reckon because I haven't been into settings since putting it on.
Funny thing is with the paid for the scans have never come up with much at all nit that they did with the free but there were a few sometimes.

 

[Layback Bear]

The paid for version running active doesn't let bad things in, so it finds less.
The free version just cleans up the mess after things get in.

 

[ThrashZone]

So they mbam says you should only have to do one custom scan with scan for rootkits enabled ?
To avoid any ssd or hdd scan thrashing

 

[mohavepc]

The Paid for version has the rootkit scan already enabled. While it is active there are quite a few pop ups that say IE is trying to access several different sites like vacumeDOTcleanDOTcom among many others. I know this is an infection. Cant seem to figure out what is infected or how to remove it. Very frustrating indeed. :banghead::banghead::banghead:

 

[gregrocker]

Did you start a fresh thread in Security forum and google for specialized tools for that infection? They don't always check More Help Needed.

 

[mohavepc]

Did you start a fresh thread in Security forum and google for specialized tools for that infection? They don't always check More Help Needed.

I am starting a new thread there now. Google has few results and I am suspicious of Comodo's answer as far as this particular infection. Could it be a cidoxVBR-A infection? Maybe but there is so little available on the search engines it is either really fresh or impossible to clean. Neither answer makes me feel too hopeful.

I am of a state of mind to start fresh and look at the logs again with a clear head and see if anything stands out. Obviously Malwarebytes see's something going on just not what it is. There is so little about IE multiple instances and memory over run.

 

[gregrocker]

Some thoughts: If you must reinstall then they should understand some infections cannot be cleaned up. They should pay a premium for such serious work and even more if they complain.

I'd Tell them you'll throw in a backup image of a perfect install so they never have to reinstall again. They should be pleased that added MBAM protection is so cheap.

Doing the right thing here: Priceless. (That's a problem I'd imagine if you do it for a living as I've never been able to price it. But some gifts I get tell me its very valuable.)

 

[ICIT2LOL]

Did you start a fresh thread in Security forum and google for specialized tools for that infection? They don't always check More Help Needed.

I am starting a new thread there now. Google has few results and I am suspicious of Comodo's answer as far as this particular infection. Could it be a cidoxVBR-A infection? Maybe but there is so little available on the search engines it is either really fresh or impossible to clean. Neither answer makes me feel too hopeful.

I am of a state of mind to start fresh and look at the logs again with a clear head and see if anything stands out. Obviously Malwarebytes see's something going on just not what it is. There is so little about IE multiple instances and memory over run.

Without running the risk of repeating myself I would run this first
http://support.kaspersky.com/4162 it will run form power up and avoid he Windows system as such.

 

[mohavepc]

Did you start a fresh thread in Security forum and google for specialized tools for that infection? They don't always check More Help Needed.

I am starting a new thread there now. Google has few results and I am suspicious of Comodo's answer as far as this particular infection. Could it be a cidoxVBR-A infection? Maybe but there is so little available on the search engines it is either really fresh or impossible to clean. Neither answer makes me feel too hopeful.

I am of a state of mind to start fresh and look at the logs again with a clear head and see if anything stands out. Obviously Malwarebytes see's something going on just not what it is. There is so little about IE multiple instances and memory over run.

Without running the risk of repeating myself I would run this first
Download Kaspersky Rescue Disk 10 it will run form power up and avoid he Windows system as such.

No problem my friend. I have run the following live cd's. Kaspersky rescue, AVG Rescue, Bit Defender rescue, Norton Rescue. All of which do not see an infection. all scans are clean. I am running rkill right now so I can look at the logs. Mbam full scan with rootkits found 4) forged physical sectors so it is definitely a rootkit involved.

 

[ThrashZone]

Hi,
Did you scan all drives and all partitions with custom and rootkits ?
Post all scan reports here and on your new thread if created ?

 

[ICIT2LOL]

Ok well GMER is fairly hefty for a scan though I have not run one for a long time you need to be careful with it
GMER - Rootkit Detector and Remover

 

[mohavepc]

Hi,
Did you scan all drives and all partitions with custom and rootkits ?
Post all scan reports here and on your new thread if created ?

Thrash I am having an issue with time on this and when I was trying to create a new thread in security It timed out 3 times and would not let it post. I am going to restore this machine right now so I will be offline a few hours. I am thinking that the infected machines hard drive might have infected this one when I scanned the drive. I'll be back later. if it isn't one thing its another.

 

[mohavepc]

Hi all I got the S.O.B. out. Turns out I got a call from another tech here in town that has also run into this issue. after collaborating for an hour we hit on the answer. It worked for Both of us but there is a trick. Kaspersky Rescue needs to be run first. It may or may not show an issue. (mine did not but his shows minor Java issues). Then boot in safe mode with networking. Run Hitman pro. Now this seems to be a 64bit infection only. The way I figured that out is that if I kill all instances of IExplore And Explore.exe the machine mellowed out. I could then open the 32 bit version of IExplore without issue. However If I opened the 64bit version of IExplore the infection took off trying to call home again

Hitman pro was able to see a file that was in the MBR pointing to the CidoxVGR-A with a Kaspersky Icon and marked for repair.
Now why Kaspersky didn't show it or try to repair must have to do with the rootkit itself somehow. I have contacted MS and Kaspersky with the logs to see if it can be caught faster. Now all I have to do is repair the damage to IExplore and we are good.

 

[gregrocker]

File in the MBR? Isn't MBR code? You mean in hidden System partition? Not scanned due to hidden? Found in memory?

 

[mohavepc]

File in the MBR? Isn't MBR code? You mean in hidden System partition? Not scanned due to hidden? Found in memory?

You are correct Greg however that is how Hitman pro listed it. I will run hitman again on another machine that is acting the same way and get a screenshot for you. I am also going to write a tutorial for brink to look at on this pita. hitman says mbr infected, the options are ignore, replace, add exception.

**edit**
I ran hitman on this machine(my main one) and found the cidoxVBR-a as well but it had not infected the coding of the mbr as yet probably because I haven't rebooted yet. I will run hitman again after I reboot to be sure
**end edit**