Multiple iexplorer.exe instances amid other exe's + java script redirects

Page 2 of 2 Previous  1, 2

View previous topic View next topic Go down

Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Sat 07 Aug 2010, 4:07 am

First topic message reminder :

I have been fighting a nasty bug on my home network - all Win XP Pro SP3 systems seemed to be infected with something which redirects all installed browsers randomly. Google Analytics seems to be indicated as part of or related to the problem - it my be that the systems were affected by a java exploit planted by a pdf embedded exe or dll. I suspect it is a java virtual machine spawning malicious processes. Here is the bottom line - All systems were initially protected by ESET NOD32 4 - useless! Since uninstalled. I have run Microsoft Security Essentials, Anti-Malware Bytes, AVG, Avira, and Stinger. All have found nothing but tracking cookies, if that.

If I run Microsoft update, I see multiple iexplorer.exe's running - and it takes 5 or so minutes for it to report that there are no updates. I have noticed other apps running with duplicates at times - notably Fix-it Utilities process MXTask2.exe - at times runs with duplicates - right down to twin tray icons... I suspect that whatever bug I have is spoofing other valid applications credentials to run undetected.

This is the hardest bug I have come across!

Trouble started about the time Firefox 3.6.7 and 3.6.8 (mid July) were released. I have uninstalled and reinstalled all java and sun microsystems components (or tried to). Also removed all .jvs files dated July 2010. Reinstalled Firefox, and other related applications. Fix it was added after the fact as it notifies me of any setup.exe launches, and was not part of the problem. I read the microsoft security bulletin posted on 8/2/2010 at Mcaffe threat center and downloaded the updates from MS but no affect. If the exploit got in that way - then the damage is already done and I am unable to detect it.

Any help would be appreciated - otherwise I will have to wipe all my systems and reinstall.

Currently have Avira running. AntiMalware was reinstalled - running database version 4052 but cannot update: MBAM_ERROR_UPDATING (12007,0, WinHttoSendRequest) is reported and shutting off Avira, and firewall has no effect.

Any HELP would be most appreciated!

I ran ComboFix - here is the log:

ComboFix 10-08-05.07 - K E V i N 08/06/2010 8:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.219 [GMT -7:00]
Running from: c:\documents and settings\K E V i N\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.

((((((((((((((((((((((((( Files Created from 2010-07-06 to 2010-08-06 )))))))))))))))))))))))))))))))
.

2010-08-06 13:10 . 2010-08-06 13:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Avanquest
2010-08-06 04:38 . 2010-08-06 04:38 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avanquest
2010-08-05 17:52 . 2010-08-06 14:36 -------- d-----w- c:\windows\system32\NtmsData
2010-08-05 16:11 . 2010-08-05 16:11 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avira
2010-08-05 14:25 . 2010-08-05 14:25 -------- d-----w- c:\documents and settings\K E V i N\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:33 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-05 13:37 . 2010-08-05 13:33 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-05 13:37 . 2010-08-05 13:33 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-05 13:37 . 2010-08-05 13:33 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
2010-08-05 13:37 . 2010-08-05 13:33 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-05 13:37 . 2010-08-05 13:33 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
2010-08-05 13:37 . 2010-08-05 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-08-05 13:37 . 2010-08-05 13:37 -------- d-----w- c:\program files\Avira
2010-08-04 16:24 . 2010-08-04 16:26 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-03 16:52 . 2010-01-28 22:12 35000 ----a-w- c:\windows\system32\mxntdfg.exe
2010-08-03 16:52 . 2010-08-03 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2010-08-03 16:51 . 2010-08-03 16:51 -------- d-----r- C:\_Backup.RC
2010-08-03 16:51 . 2010-08-06 14:41 -------- d-----w- C:\_Backup
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\documents and settings\Z O E\Application Data\Avanquest
2010-08-03 16:49 . 2010-08-03 16:49 -------- d-----w- c:\program files\Avanquest
2010-08-03 15:24 . 2010-08-03 15:24 -------- d-----w- c:\program files\AVG
2010-08-03 15:23 . 2010-08-05 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-03 02:13 . 2010-08-03 02:13 -------- d-----w- c:\program files\Common Files\Java
2010-08-03 02:12 . 2010-08-03 02:12 503808 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcp71.dll
2010-08-03 02:12 . 2010-08-03 02:12 499712 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\jmc.dll
2010-08-03 02:12 . 2010-08-03 02:12 348160 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6849cf42-n\msvcr71.dll
2010-08-03 02:12 . 2010-08-03 02:12 12800 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-d3d.dll
2010-08-03 02:12 . 2010-08-03 02:12 61440 ----a-w- c:\documents and settings\K E V i N\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4328d9c9-n\decora-sse.dll
2010-08-03 02:12 . 2010-08-03 02:12 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-03 02:12 . 2010-08-03 02:12 -------- d-----w- c:\program files\Java
2010-07-31 23:43 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-31 15:50 . 2010-07-31 15:50 -------- d-sh--w- c:\documents and settings\Z O E\IECompatCache
2010-07-31 15:49 . 2010-07-31 15:49 -------- d-sh--w- c:\documents and settings\Z O E\PrivacIE
2010-07-31 15:35 . 2010-07-31 15:36 -------- d-----w- c:\program files\QuickTime
2010-07-31 15:35 . 2010-07-31 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-26 13:33 . 2010-07-26 13:33 -------- d-----w- c:\documents and settings\Z O E\Application Data\Malwarebytes
2010-07-21 19:58 . 2010-07-21 20:05 -------- d-----w- c:\documents and settings\S A r A\Application Data\U3
2010-07-16 14:36 . 2010-07-16 14:36 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-07-16 14:36 . 2010-07-16 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-14 13:47 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-11 21:30 . 2010-07-11 21:30 -------- d-----w- c:\documents and settings\Z O E\Local Settings\Application Data\Identities
2010-07-09 15:03 . 2010-07-09 15:03 -------- d-----w- c:\program files\Harmonic Vision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 13:31 . 2009-09-25 21:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-03 16:47 . 2009-09-25 20:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 15:44 . 2009-09-26 19:01 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-09 15:03 . 2009-08-25 23:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-07 04:01 . 2009-11-23 04:46 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\U3
2010-06-24 23:57 . 2010-06-24 23:57 -------- d-----w- c:\documents and settings\L I Z Z O\Application Data\Apple Computer
2010-06-24 23:57 . 2009-09-25 23:17 29576 ----a-w- c:\documents and settings\L I Z Z O\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2009-08-25 23:07 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-05 282792]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Dialog Helper.lnk - c:\program files\VCOM\PowerDesk\pddlghlp.exe [2005-9-8 40960]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Z O E^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Z O E\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
2001-10-08 19:59 45632 ----a-w- c:\windows\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-05-25 15:43 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 22:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 20:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/5/2010 6:37 AM 102856]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/5/2010 6:37 AM 536232]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/5/2010 6:37 AM 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/5/2010 6:37 AM 135336]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/5/2010 6:37 AM 405672]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/5/2010 6:37 AM 79432]
S2 Fix-It Utilities 10 Essentials Task Manager;Fix-It Utilities 10 Essentials Task Manager;c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service --> c:\progra~1\AVANQU~1\Fix-It\mxtask.exe -Service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\K E V i N\Application Data\Mozilla\Firefox\Profiles\v1i0k5ta.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-06 08:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1336)
c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-06 08:43:31
ComboFix-quarantined-files.txt 2010-08-06 15:43

Pre-Run: 20,064,157,696 bytes free
Post-Run: 20,029,243,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 81C251BA3362E3DEFFB09A3675ACB685

cybernazi

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-07
Operating System : Windows 7 Pro

View user profile

Back to top Go down


Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Mon 09 Aug 2010, 10:51 am

Well I found out something useful on my end.

They hacked my router - reset the DNS via the default password.

I have reset to factory defaults and configured a strong password. I have also changed the existing key above to the correct DNS for cox.net on my system.

Checking has revealed all systems on my network have the above listed russian dns address in the registry.

Now I want to know how it got in and what else to kill/change/delete.

I found a thread in parallel with same problem:
[You must be registered and logged in to see this link.]

cybernazi

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-07
Operating System : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Mon 09 Aug 2010, 12:37 pm

So I was hit with whatever this is mid to late July.

With the MS security advisory:
[You must be registered and logged in to see this link.]
and the patch released on 8/2/2010

Coupled with the PDF issue in Acrobat products:
[You must be registered and logged in to see this link.]

I unchecked the default Acrobat setting "allow opening of non-pdf file attachments with external applications" to address what I can.

This was after the fact of whatever attach I was hit by.

Plus at the same time - google-analytics related java issues...
[You must be registered and logged in to see this link.]

&

[You must be registered and logged in to see this link.]

Java Update
jre-6u21-windows-i586-iftw-rv.exe was released on 7/17/2010

All of the above has muddied the water + the release of Firefox 3.6.7 + 3.6.8 durring the same period has made this a moving target which very well may have used several if not all of the above listed vulnerabilities to gain access and obviously it is not stopped by adding the patches after the fact. And once in it is undetected by anything!

This seems to me like a big deal cybersecurity wise - esp with Russia involved. Call me alarmist but this is not good.

Any thoughts?





cybernazi

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-07
Operating System : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Mon 09 Aug 2010, 2:52 pm

Additional note - after correcting the dns mapping I am now able to update AntiMalware no problem. Performing a full scan. Zero results so far - not even seeing any tracking cookies. I almost wonder if its the real tool.

cybernazi

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-07
Operating System : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Tue 10 Aug 2010, 10:56 am

Hello.
How is the machine running now then? no more re-direct issues?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Tue 10 Aug 2010, 12:50 pm

I ran adaware on 2 of my systems - this one (wifes) and mine - both were infected with

Trojan.Win32.Generic!BT - in a system volume info file in each case

CoreGaurdAntivi\09.FakeCog(fs) was also removed from this (wifes) system

Overall it is much faster - but still a bit slow on the start up. So maybe we are out to the clear.

I ran across an article warning about this DNS hack on techrepublic.com
here is a link

[You must be registered and logged in to see this link.]

This explains how they got in - much as I suspected.

It still bugs me that AntiMalwareBytes won't detect anything.

What protection suite do you recommend? I need something and I am not impressed with the performance of the these I have tried.

Even Stinger was updated a few days ago and saw nothing wrong.

That article mentions an add-on for firefox and I have its called "noscript" - it will block DNS hack attempts and forces you to give permission for Java to run on each page. Seems to work well.

So far I have not had any pupups or redirects.

Thanks for all your help - I never would have seen that.

cybernazi

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-07
Operating System : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Wed 11 Aug 2010, 10:52 am

Hello.
System Volume Information is just System Restore, we can flush that, it's not a big issue.

Other than that, no complaints?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Thu 12 Aug 2010, 2:28 am

So far repeated scans show nothing but presumed false positives on the downloads we have done.

The system is not what I would call 'normal' but is much better.

I had turned off (I assumed early on that the restore points were infected) system restore but it is now turned back on - I assume due to the fact that several of the packages I have run said they were creating restore points.

Overall it is just sluggish still.

Any thoughts?

cybernazi

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-07
Operating System : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by cybernazi on Thu 12 Aug 2010, 1:17 pm

I have downloaded and installed all the Tuesday midnight Microsoft updates. It still launches double instances of IE and takes at least a full minute just to open the screen and show me the page for windows update.

About five minutes to check for updates.

Don't know what it is but this system was never that slow.

cybernazi

Rookie Surfer
Rookie Surfer

Posts : 69
Joined : 2010-08-07
Operating System : Windows 7 Pro

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Belahzur on Fri 13 Aug 2010, 10:46 am

One thing that may help is your RAM. Your current log shows me you only have 500mb of RAM, when nowadays you need at the very least 1gb if not more for this day and age machines to be able to run smoothly.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Multiple iexplorer.exe instances amid other exe's + java script redirects

Post by Sponsored content Today at 12:52 pm


Sponsored content


Back to top Go down

Page 2 of 2 Previous  1, 2

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum