Adlice forum

General Category => Malware removal help => Topic started by: 236dave on April 13, 2015, 01:17:55 pm

Title: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 13, 2015, 01:17:55 pm
Hi,
I have a HP laptop running Windows 7 and ask for help in getting rid of Malware.

I have run Roguekiller several times, but the problem keeps returning.
I have read the article http://www.adlice.com/userland-rootkits-part-1-iat-hooks/ which I was direced to after one of the scans, but I am not a computer techie, and would like a simple laymans guide on how to get rid of this problem.

I have saved the last Roguekiller report if thats any help?  (see below)

Can someone please help me?
It would be much appreciated.
Thanks
Dave

RogueKiller V10.5.9.0 [Apr  7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dave [Administrator]
Started from : C:\Users\Dave\Desktop\RogueKiller.exe
Mode : Delete -- Date : 04/13/2015  11:51:23

Processes : 2
[Proc.Injected] iexplore.exe(8464) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Suspicious.Path] (SVC) RapportCerberus_43926 -- \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys[7] -> ERROR [41c]

Registry : 2
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000036b])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: Hitachi HTS547575A9E384 +++++
--- User ---
[MBR] 9c50ca4918e89af5c43423daea0b5f77
[BSP] 450a4243d6e193ea8fdc87af2a3def53 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04092015_172117.log - RKreport_DEL_04092015_172439.log - RKreport_SCN_04102015_000703.log - RKreport_DEL_04102015_002419.log
RKreport_SCN_04102015_152317.log - RKreport_DEL_04102015_153400.log - RKreport_SCN_04112015_003307.log - RKreport_DEL_04112015_003408.log
RKreport_SCN_04112015_113057.log - RKreport_DEL_04112015_113843.log - RKreport_DEL_04112015_113906.log - RKreport_SCN_04112015_121327.log
RKreport_DEL_04112015_123147.log - RKreport_SCN_04122015_085229.log - RKreport_DEL_04122015_085909.log - RKreport_SCN_04122015_092810.log
RKreport_SCN_04122015_203612.log - RKreport_SCN_04132015_002004.log - RKreport_DEL_04132015_083301.log - RKreport_SCN_04132015_091040.log
RKreport_DEL_04132015_091115.log - RKreport_SCN_04132015_115021.log
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 13, 2015, 06:13:27 pm
Hi Dave,

Welcome to Adlice.com Forum.

The report you posted was generated with the 32 bits version of RogueKiller.
Please download RogueKiller (64 bits version) (http://www.adlice.com//?smd_process_download=1&download_id=2181), redo a full scan and post the report obtained in your next reply.

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 13, 2015, 07:35:45 pm
Hi Curson,

Before seeing your reply I found this thread http://forum.adlice.com/index.php?topic=273.0 and downloaded Processhacker, where I terminated the iexplorer.exe process tree, which was giving the background iexplorer pages. Task manager shows that they are no longer running, for now anyway.

I then saw your reply and followed the instructions.
Here is the latest report run with Roguekiller(x64):
Hope you can help.
Thanks
Dave

RogueKiller V10.5.9.0 (x64) [Apr  7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dave [Administrator]
Started from : C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1TSJTDUW\RogueKillerX64.exe
Mode : Delete -- Date : 04/13/2015  18:22:16

Processes : 1
[Suspicious.Path] (SVC) RapportCerberus_43926 -- \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys[7] -> ERROR [41c]

Registry : 3
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: Hitachi HTS547575A9E384 +++++
--- User ---
[MBR] 9c50ca4918e89af5c43423daea0b5f77
[BSP] 450a4243d6e193ea8fdc87af2a3def53 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 700789 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1435625472 | Size: 14312 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 1464936448 | Size: 102 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04092015_172117.log - RKreport_DEL_04092015_172439.log - RKreport_SCN_04102015_000703.log - RKreport_DEL_04102015_002419.log
RKreport_SCN_04102015_152317.log - RKreport_DEL_04102015_153400.log - RKreport_SCN_04112015_003307.log - RKreport_DEL_04112015_003408.log
RKreport_SCN_04112015_113057.log - RKreport_DEL_04112015_113843.log - RKreport_DEL_04112015_113906.log - RKreport_SCN_04112015_121327.log
RKreport_DEL_04112015_123147.log - RKreport_SCN_04122015_085229.log - RKreport_DEL_04122015_085909.log - RKreport_SCN_04122015_092810.log
RKreport_SCN_04122015_203612.log - RKreport_SCN_04132015_002004.log - RKreport_DEL_04132015_083301.log - RKreport_SCN_04132015_091040.log
RKreport_DEL_04132015_091115.log - RKreport_SCN_04132015_115021.log - RKreport_DEL_04132015_115123.log - RKreport_SCN_04132015_181016.log
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 13, 2015, 07:52:22 pm
Hi Dave,

I believe the injection te be caused by RapportCerberus, a security program.
Could you please restart Internet Explorer and follow the following process :
We will analyse what is really injected, and whitelist if needed.

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 13, 2015, 08:57:23 pm
Hi Curson

Followed your instructions, and here here the link to the dump file.
https://drive.google.com/file/d/0B3HVkdtL-bK7NG1rSF9Nd1lQYlU/view?usp=sharing

Thanks
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 13, 2015, 09:22:18 pm
Hi Dave,

You dumped the process explorer.exe, not iexplorer.exe.
Could you please redo the dumping process?

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 14, 2015, 12:28:44 am
Hi Curson,

Sorry I'll try again.
I am now getting another iexplorer running in the background, it shows up in the Applications tab of task manager.
I have found two different instances of iexplore in procexp, so I have attched links to both, the 2nd one I renamed iexplore2:
https://drive.google.com/file/d/0B3HVkdtL-bK7WjVRTS13dFExYnM/view?usp=sharing
https://drive.google.com/file/d/0B3HVkdtL-bK7ZmZSbkljNE5fQUk/view?usp=sharing
Hope this helps.
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 15, 2015, 12:51:49 am
Hi Curson,

Hope you get the chance to look at my previous post with the attachments.
Its now near bed time over here in the uk, but I will check in tomorrow after work.
All the best.
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 15, 2015, 11:53:12 am
Hi Dave,

Analysing the dumps will require some time.
I will keep you updated there.

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 15, 2015, 08:15:35 pm
Thanks Curson!

Your help is much appreciated.

Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 21, 2015, 10:14:18 pm
Hi Dave,

I analysed the dumps and found nothing malicious.
The injection will be whitlisted in RogueKiller as soon as possible.

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 22, 2015, 11:35:05 pm
Hi Curson,
Good to hear there was nothing malicious found.
Excuse my ignorance, but am I right in thinking by whitelisting the injection, it will be automatically blocked by Roguekiller?

Thanks for your efforts, I would like to purchase your premium version.
Is it now safe to make the financial transaction on my laptop.
I have been reluctant to make any financial transactions with the problem Ive had.
Could you give an estimate of when the whitelist will be introduced.
Thanks
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 23, 2015, 08:19:49 pm
Hi Dave,

Quote from: 236dave
Good to hear there was nothing malicious found.
Excuse my ignorance, but am I right in thinking by whitelisting the injection, it will be automatically blocked by Roguekiller?
When the injection will be whitelisted, RogueKiller won't detect it anymore.

Quote from: 236dave
Thanks for your efforts, I would like to purchase your premium version.
Is it now safe to make the financial transaction on my laptop.
I have been reluctant to make any financial transactions with the problem Ive had.
I am pleased to hear that our product have been helpful to you. Thanks for supporting it. :)

Quote from: 236dave
Could you give an estimate of when the whitelist will be introduced.
I cannot give you a date for the time being but I will not fail to inform you when it's done.

Regards
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 23, 2015, 08:56:12 pm
Hi Curson,
I'm a bit puzzled, how will whitelisting help?

I still have the original problem, where extra iexplorer pages (normally ads) are being opened up in the background, which slows up my laptop.

How do I get rid of this problem?
Thanks for helping.
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 24, 2015, 08:56:13 am
Hi Dave,

I'm sorry I had not realized that the problem was not solved.
We will investigate this more thoroughly.

Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 24, 2015, 07:48:32 pm
Hi Curson,
Followed your instructions, and attached the logs.
The FRST64 stalled a few times, ie it displayed (not responding), but then continued to run.
The logs had too many characters to cut and paste, so I have attached zip files.
Hope you can help.
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 26, 2015, 05:19:16 pm
Hi Dave,

Some error occured during the scan, indeed.
A quick question, are you being helped in another forum at the same time ?

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is the computer running ?

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 27, 2015, 08:07:45 pm
Hi Curson,
I saved fixlist.txt to my desktop, where I have FRST64, is this what you meant by they must be in the same location?

I then opened FRST64 and ran a scan, before hitting the Fix button.

The fixlist.txt then disappeared from my desktop?

So far the problem hasn't reappeared, and Ive been using my laptop for a few hours now.
It would normally return after about 1/2hr usage.

There are still a few queries (pic attached), such as:
Internet histogram in tray shows a yellow dot, instead of white reception strength bars (its been this way for a few weeks)
Intel RST is not running.

But my laptop is running much quieter and quicker, so a big thanks to you!

btw - To answer your question, I have not been helped in another forum, its only been yourself who has helped me.

I have also attached the Fixlog.txt that you asked for.
Regards
Dave

Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 27, 2015, 09:59:51 pm
Hi Dave,
Quote from: Dave
I saved fixlist.txt to my desktop, where I have FRST64, is this what you meant by they must be in the same location?
I then opened FRST64 and ran a scan, before hitting the Fix button.
The fixlist.txt then disappeared from my desktop?

So far the problem hasn't reappeared, and Ive been using my laptop for a few hours now.
It would normally return after about 1/2hr usage.
It was not necessary to rerun a scan before proceeding the fix (that's why the fixlist.txt was deleted).
Anyway, FRST did its job successfully. All the problematic entries seems to be gone.

Quote from: Dave
Internet histogram in tray shows a yellow dot, instead of white reception strength bars (its been this way for a few weeks)
It's difficult to determine the cause but let's try a generic fix.
Please open a command prompt with admin rights and copy/paste the following command :
Quote
winmgmt /salvagerepository

Quote from: Dave
Intel RST is not running.
Please uninstall Intel RST module. Then download the latest version HERE (http://downloadmirror.intel.com/24779/eng/setupRST.exe) and install it.
Reboot your computer.

Quote from: Dave
But my laptop is running much quieter and quicker, so a big thanks to you!
I'm glad the hear that.
How is the computer running by the time being ?

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 28, 2015, 12:57:38 am
Hi Curson,
Laptop is still running fine with no return of my original problem.

I followed your instructions:
ie,
Copied and pasted the code into command prompt - see screen print attached
also
uninstalled existing Intel RST, but new installation failed - see screen print attached

Thanks for the continued support.
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 29, 2015, 12:54:04 am
Hi Dave,

Could you please try with this one (http://downloadmirror.intel.com/17296/a08/iata78_cd.exe) ?

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 29, 2015, 08:23:08 pm
Hi Curson,

I've just purchased the Premium version :)
Which is in appreciation of your continued support!
& this software that is spotting problems that my paid Malwarebytes is not.

btw I tried the new link but still no joy, see attached screen prints.
Regards
Dave


Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on April 29, 2015, 09:44:11 pm
Hi Dave,

Quote from: Dave
I've just purchased the Premium version :)
Which is in appreciation of your continued support!
Many thanks for supporting us ! I am glad to hear your satisfaction. :)

Quote from: Dave
& this software that is spotting problems that my paid Malwarebytes is not.
Malwarebytes Anti-Malware and RogueKiller use two different approaches to fight malwares. Therefore, they are pretty complementary.

Quote from: Dave
btw I tried the new link but still no joy, see attached screen prints.
That's pretty weird.
Could you please download and execute the Intel Chipset Device Software (http://downloadmirror.intel.com/20775/eng/SetupChipset.exe) utility and then retry the install of Intel RST ?

Regards.
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: 236dave on April 30, 2015, 10:14:17 am
Hi Curson,
I successfully installed the 'Intel Chipset Device Software' and then tried installing from your link on post #20, but it failed again with the same error, see attached.
Dave
Title: Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
Post by: Curson on May 01, 2015, 09:43:11 pm
Hi Dave,

Could you please do a last try with the Intel RST installer on post #18 (http://forum.adlice.com/index.php?topic=424.msg2132#msg2132) ?

Regards.