~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Multiple instances of iexplore.exe running in my processes with no apps whatsoever running. "End Process" and a new iexplore.exe (or 2) appears hogging sometimes 80,90, 100 Mb's of memory.
I have stepped thru the "READ FIRST" page (ATF, MalwareBytes, SuperAntiSpyware, Panda) and fixed many threats, but iexplore.exe persists. I have also viewed several other users entries who have seen this ailment and it seems a different fix for each has been suggested.
Thanks in advance and please advise on a solution.
Gearhead4
removed e-mail address
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[MaleWareBytesLog]]]]]]]]]]]]]]]]]]]]]]]]
]]]]]]]]]]]]]
Malwarebytes' Anti-Malware 1.11
Database version: 660
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 110652
Time elapsed: 2 hour(s), 12 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rightonadz (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rightonadz-uninst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ SuperAntiSpyware Log #1 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
SUPERAntiSpyware Scan Log
Generated 04/20/2008 at 05:10 AM
Application Version : 3.6.1000
Core Rules Database Version : 3442
Trace Rules Database Version: 1434
Scan type : Complete Scan
Total Scan Time : 02:09:36
Memory items scanned : 450
Memory threats detected : 0
Registry items scanned : 5657
Registry threats detected : 10
File items scanned : 42122
File threats detected : 10
Adware.AdRotator/RightOnz
HKLM\Software\Classes\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\InprocServer32
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\InprocServer32#ThreadingModel
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\ProgID
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\Programmable
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\TypeLib
HKCR\CLSID\{10F3E8BD-257A-4702-A2F5-DC02055B068C}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\GZMRT.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#hid_start [ C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\gzmrotate.dll" DllVerify ]
Adware.Tracking Cookie
C:\Documents and Settings\ddaniels\Cookies\[email protected][1].txt
C:\Documents and Settings\ddaniels\Cookies\[email protected][2].txt
C:\Documents and Settings\ddaniels\Cookies\ddaniels@tribalfusion[2].txt
Adware.OneStepSearch
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034461.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034496.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034497.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP86\A0034498.EXE
Trojan.Unclassified/NSN-Variant
C:\WINDOWS\SYSTEM32\NSQ7E.DLL
Unclassified.Unknown Origin
D:\DOWNLOAD\SOFTWARE\WORKING MODEL\CRACK\CRACKER.EXE
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ SuperAntiSpyware Log #2 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
SUPERAntiSpyware Scan Log
Generated 04/20/2008 at 09:01 PM
Application Version : 3.6.1000
Core Rules Database Version : 3442
Trace Rules Database Version: 1434
Scan type : Complete Scan
Total Scan Time : 07:38:23
Memory items scanned : 463
Memory threats detected : 0
Registry items scanned : 5667
Registry threats detected : 0
File items scanned : 77857
File threats detected : 2
Trojan.Unclassified/NSN-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP115\A0041793.DLL
Unclassified.Unknown Origin
D:\DOWNLOAD\SOFTWARE\WORKING MODEL\CRACK\CRACKER.EXE
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ Active Scan Log ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-04-22 06:06:53
PROTECTIONS: 2
MALWARE: 14
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Symantec Antivirus Corporate Edition 8.0 No Yes
Norton Antivirus Edition 7.5 No Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon
00046757 spyware/bridge Spyware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\run\mswspl
00047257 vbs/psyme.gen Virus/Trojan No 0 No No c:\program files\windows media player\wmplayer.exe.tmp
00118392 Adware/Trymedia Adware No 0 Yes No C:\Downloads\D2elvesSetup-dm[1].exe
00118392 Adware/Trymedia Adware No 0 Yes No C:\Downloads\D2galleanSetup-dm[1].exe
00118392 Adware/Trymedia Adware No 0 Yes No C:\Downloads\D2ProphecySetup-dm[1].exe
00193807 dialer.bny Dialers No 0 Yes No c:\windows\pcconfig.dat
00235342 Adware/IST.ISTBar Adware No 1 Yes No D:\Download\Software\Working Model\crack\WORKING[1].MODEL.2D.2004.V7.0-NiTROUS.ZIP[cracker.exe]
00235342 Adware/IST.ISTBar Adware No 1 Yes No D:\Download\Software\Working Model\crack\cracker.exe
00524419 Application/Altnet HackTools No 0 Yes No D:\Download\Software\Kazzaa\kazaa_lite_202_english.exe
00524419 Application/Altnet HackTools No 0 Yes No D:\Download\Software\Kazzaa\klite_202_b1.zip[first stage/kazaa_lite_202_english.exe]
00527204 Application/PRScheduler HackTools No 0 Yes No C:\DOCUMENTS AND SETTINGS\DDANIELS\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE
02409980 Adware/SystemDoctor Adware No 0 Yes No C:\Documents and Settings\Blake\Application Data\16 kind\zutjvkti.exe
02685009 Adware/SystemDoctor Adware No 0 Yes No C:\Documents and Settings\Blake\Application Data\16 kind\smukdinb.exe
02868852 Adware/SystemDoctor Adware No 0 Yes No C:\Documents and Settings\Blake\Application Data\16 kind\tzqjgxut.exe
02881056 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\Jessica\Application Data\16 kind\uounxjhg.exe
02890449 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Close Noun Junk Logo\GREAT UP.exe
02910946 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{44325D8E-0988-40ED-BB56-355BFFEB7EA3}\RP84\A0030850.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location Cy
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description Cy
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[ Hijack This Log ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:47 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\devldr32.exe
D:\Programs\ZONEAL~1\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\trueplay.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8081
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Programs\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Memo Dent Junk Readme] C:\Documents and Settings\All Users\Application Data\Plan Team Memo Dent\OwnsFree.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125010856\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctwdm32] C:\WINDOWS\system32\ctwdm32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DentIso] C:\DOCUME~1\ddaniels\APPLIC~1\16KIND~1\ExitLogo.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5883 bytes