Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I'm pretty sure its the iexplore virus.. First, my mouse moved on its own, clicked start, went to all programs, and opened a file. I opened task manager and noticed the process IEXPLORE.exe. I never use internet explorer, so i clicked "end process". About 10 seconds later, the process came up again and keeps coming back every time I end the process. My computer is running slower than usual, so I think somethings up!
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/13/2009 11:19:50 PM
System Uptime: 10/27/2009 10:08:15 PM (0 hours ago)
Motherboard: ASUSTeK Computer INC. | | P5KPL-CM
Processor: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz | Socket 775 | 2508/333mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 267.743 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&2C575ACB&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&2C575ACB&0
Service: i8042prt
==== System Restore Points ===================
RP88: 7/27/2009 6:52:09 PM - System Checkpoint
RP89: 7/28/2009 7:52:44 PM - System Checkpoint
RP90: 7/29/2009 8:49:43 PM - System Checkpoint
RP91: 7/30/2009 9:32:44 PM - System Checkpoint
RP92: 7/31/2009 10:31:09 PM - System Checkpoint
RP93: 8/2/2009 4:40:40 PM - System Checkpoint
RP94: 8/3/2009 5:26:54 PM - System Checkpoint
RP95: 8/4/2009 5:43:05 PM - Installed Java(TM) 6 Update 15
RP96: 8/5/2009 6:36:01 PM - System Checkpoint
RP97: 8/7/2009 6:57:19 PM - System Checkpoint
RP98: 8/11/2009 9:57:04 PM - System Checkpoint
RP99: 8/13/2009 7:30:39 PM - System Checkpoint
RP100: 8/15/2009 3:34:36 PM - System Checkpoint
RP101: 8/16/2009 4:21:17 PM - System Checkpoint
RP102: 8/17/2009 8:53:36 PM - System Checkpoint
RP103: 8/19/2009 5:35:25 PM - System Checkpoint
RP104: 8/20/2009 6:26:32 PM - System Checkpoint
RP105: 8/22/2009 4:23:29 PM - System Checkpoint
RP106: 8/23/2009 4:59:50 PM - System Checkpoint
RP107: 8/24/2009 6:48:01 PM - System Checkpoint
RP108: 8/25/2009 9:20:39 PM - System Checkpoint
RP109: 8/26/2009 9:21:21 PM - System Checkpoint
RP110: 8/27/2009 9:36:02 PM - System Checkpoint
RP111: 8/29/2009 10:37:27 AM - System Checkpoint
RP112: 8/30/2009 2:46:00 PM - System Checkpoint
RP113: 9/1/2009 6:46:01 PM - System Checkpoint
RP114: 9/2/2009 6:54:32 PM - System Checkpoint
RP115: 9/3/2009 7:20:25 PM - System Checkpoint
RP116: 9/5/2009 2:51:04 PM - System Checkpoint
RP117: 9/6/2009 2:54:42 PM - System Checkpoint
RP118: 9/7/2009 4:20:18 PM - System Checkpoint
RP119: 9/8/2009 6:29:43 PM - System Checkpoint
RP120: 9/9/2009 7:02:38 PM - System Checkpoint
RP121: 9/10/2009 7:10:31 PM - System Checkpoint
RP122: 9/12/2009 3:50:06 PM - System Checkpoint
RP123: 9/13/2009 6:20:41 PM - System Checkpoint
RP124: 9/15/2009 8:58:03 PM - System Checkpoint
RP125: 9/17/2009 9:30:29 PM - System Checkpoint
RP126: 9/19/2009 11:32:15 AM - System Checkpoint
RP127: 9/20/2009 4:47:13 PM - System Checkpoint
RP128: 9/21/2009 6:27:45 PM - System Checkpoint
RP129: 9/22/2009 9:14:19 PM - System Checkpoint
RP130: 9/24/2009 5:50:36 PM - System Checkpoint
RP131: 9/26/2009 2:26:22 PM - System Checkpoint
RP132: 9/27/2009 4:52:34 PM - System Checkpoint
RP133: 9/29/2009 7:19:04 PM - System Checkpoint
RP134: 9/30/2009 7:44:34 PM - System Checkpoint
RP135: 10/3/2009 1:25:21 PM - System Checkpoint
RP136: 10/4/2009 3:01:37 PM - System Checkpoint
RP137: 10/5/2009 3:25:38 PM - System Checkpoint
RP138: 10/6/2009 5:56:03 PM - System Checkpoint
RP139: 10/7/2009 6:46:00 PM - System Checkpoint
RP140: 10/9/2009 5:44:03 PM - System Checkpoint
RP141: 10/10/2009 7:18:21 PM - System Checkpoint
RP142: 10/12/2009 12:51:40 PM - System Checkpoint
RP143: 10/17/2009 5:48:21 PM - System Checkpoint
RP144: 10/18/2009 6:04:00 PM - System Checkpoint
RP145: 10/19/2009 10:13:44 PM - System Checkpoint
RP146: 10/21/2009 6:41:48 PM - System Checkpoint
RP147: 10/24/2009 12:43:29 PM - System Checkpoint
RP148: 10/25/2009 5:00:09 PM - System Checkpoint
RP149: 10/26/2009 10:37:43 PM - System Checkpoint
==== Installed Programs ======================
µTorrent
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.3
Apple Software Update
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
ATI Display Driver
Audacity 1.2.6
BattleForge™
BitDefender Total Security 2009
BoE Client
Cheat Engine 5.5
Counter-Strike
Counter-Strike: Source
CSStrat
GoldWave v5.20
Google Chrome
Hotfix for Windows XP (KB942288-v3)
Java(TM) 6 Update 15
LG USB Modem Drivers
LimeWire PRO 5.3.6
LiveZilla
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.5.3)
MSXML 6.0 Parser (KB925673)
NVIDIA Drivers
NVIDIA PhysX
Oxelon Media Converter 1.1
Pando Media Booster
Platform
QuickTime
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB960715)
Steam(TM)
Ventrilo Client
VIA Platform Device Manager
WebFldrs XP
Windows Communication Foundation
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
WonderKing
Workspace Macro 4.6
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
10/27/2009 9:41:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/27/2009 9:12:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service VSSERV with arguments "" in order to run the server: {6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC}
10/27/2009 8:14:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD bdftdif Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
10/27/2009 8:14:28 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/27/2009 8:14:28 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/27/2009 8:14:28 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/27/2009 8:14:28 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/27/2009 8:14:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/27/2009 8:13:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/27/2009 8:13:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/27/2009 10:10:16 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
10/26/2009 7:37:37 PM, error: Print [22] - Failed to ugrade printer settings for printer \\Matthew-pc\HP Photosmart C5200 series,LocalOnly driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\UNIDRVUI.DLL error 5.
10/22/2009 7:23:44 PM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 192.168.2.3. The machine with the IP address 192.168.2.4 did not allow the name to be claimed by this machine.
10/21/2009 5:03:53 PM, error: Service Control Manager [7000] - The Ralink Registry Writer service failed to start due to the following error: The system cannot find the file specified.
==== End Of File ===========================
DDS (Ver_09-10-26.01) - NTFSx86
Run by Nolan at 22:24:29.71 on Tue 10/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3091 [GMT -5:00]
I don't see anything malicious and iexplore.exe is running from legit location.
It must be induced by some other process (Google updater?)
Let's double check...
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode. To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked): - Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again. - Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program. Post SUPERAntiSpyware log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop. (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
STEP 4. Download HijackThis: http://www.trendsecure.com/portal/en...kthis/download
by clicking on Download HijackThis Installer
Install, and run it. Post HijackThis log. NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:50 PM, on 10/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE. If Combofix asks you to install Recovery Console, please allow it.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
[HKLM\~\startupfolder\C:^Documents and Settings^Nolan^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Nolan\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"56285:TCP"= 56285:TCP:Pando Media Booster
"56285:UDP"= 56285:UDP:Pando Media Booster
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - FCA45C54B67C85F754F399295738A41C
_________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:41 PM, on 10/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe
***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.
PHYSICALLY DISCONNECT FROM THE INTERNET
Restart computer in Safe Mode. To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked): - Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again. - Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program. Post SUPERAntiSpyware log.
RECONNECT TO THE INTERNET
RESTART COMPUTER!
STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop. (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 3. Post fresh HijackThis log. NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
_____________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:56 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:29 AM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.
2. Turn off System Restore:
- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
3. Restart computer.
4. Turn System Restore on.
5. Make sure, Windows Updates are current.
6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!
7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.
Thank you very much, I really appreciate you helping me through this. My computer is doing much better than before. Can I ask you what antivirus you recommend? And do you have any idea on how I got my computer infected? Thanks.
- free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.
If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use Comodo firewall..
If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.
IMPORTANT!Make sure, you use only ONE antivirus, and ONE firewall.
