Adlice forum

General Category => Malware removal help => Topic started by: i.m.galicia on February 13, 2015, 03:43:21 PM

Title: Multiple internet explorers open is task manager and none on desktop...
Post by: i.m.galicia on February 13, 2015, 03:43:21 PM

I run the scan tool multiple times and it always shows the same things. It closes down the IE in task manager but as soon as I reboot they open again. It even pops up as I shut down my computer different IE pages that are non existent on my desk top.


RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Steve [Administrator]
Mode : Delete -- Date : 02/13/2015  08:42:47

¤¤¤ Processes : 12 ¤¤¤
[Proc.Injected] svchost.exe(2752) -- C:\Windows\system32\svchost.exe

• -> [NoKill]

[Proc.Svchost] svchost.exe(2752) -- C:\Windows\system32\svchost.exe[7] -> Killed [TermProc]
[Proc.Svchost] svchost.exe(3508) -- C:\Windows\SysWow64\svchost.exe[7] -> Killed [TermThr]
[Proc.Injected] dllhost.exe(3936) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3956) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3964) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3972) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3980) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3988) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(3996) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(4004) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]
[Proc.Injected] dllhost.exe(4012) -- C:\Windows\SysWow64\dllhost.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 1 ¤¤¤
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell13-comm.msn.com  -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM0 ST500DM002-1BD14 SCSI Disk Device +++++
--- User ---
[MBR] d13b2dbf00c1f14ebe87172b0fa5dfae
[BSP] b61111669b9fb7c397c245f49761b642 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 19016 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 39026688 | Size: 457880 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([18] The program issued a command but the command length is incorrect. )


============================================
RKreport_DEL_02132015_075549.log - RKreport_DEL_02132015_081523.log - RKreport_DEL_02132015_081803.log - RKreport_DEL_02132015_082155.log
RKreport_DEL_02132015_082959.log - RKreport_SCN_02132015_075341.log - RKreport_SCN_02132015_081431.log - RKreport_SCN_02132015_081714.log
RKreport_SCN_02132015_082029.log - RKreport_SCN_02132015_082825.log - RKreport_SCN_02132015_084218.log

Title: Re: Multiple internet explorers open is task manager and none on desktop...
Post by: Curson on February 13, 2015, 04:39:44 PM

Hi Steve,

Welcome to Adlice.com Forum.

The [Proc.Injected] detection could be triggered by two things : 

• A real infection (like Zeus, Carberp, Poweliks, they are all using that thing)
• Your antivirus injecting your processes to protect you (in theory).

To determine what's going on, and possibly whitelist the cases where it's a legit injection, please do the following :

1. Process Dump

• Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named dllhost.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
• Share the link in your next reply.

We will analyse what is really injected, and whitelist if needed.

Regards.

Title: Re: Multiple internet explorers open is task manager and none on desktop...
Post by: i.m.galicia on February 13, 2015, 07:40:26 PM

https://docs.google.com/file/d/0B1MHmge-AGN9NmduQ0tfUS1WWWM/edit

Is this correct? I've never done this before. Thank you in advance. Actually looking further into it. There are 10 processes with that same name in the program.

Heres a link to the other process that contained the 10 process of DLLhost.EXE
https://docs.google.com/file/d/0B1MHmge-AGN9a080T2IwUjZCWGc/edit

Title: Re: Multiple internet explorers open is task manager and none on desktop...
Post by: Curson on February 16, 2015, 02:33:50 PM

Hi Steve,

You need to set the right permissions to allow me to download the file.
Please refer to this page (https://support.google.com/drive/topic/2525251?hl=en&ref_topic=2375188) to do so.

Regards.