Author Topic: Proc Infected - iexplorer.exe - Keeps returning - Please Help!  (Read 19152 times)

0 Members and 1 Guest are viewing this topic.

April 13, 2015, 01:17:55 pm

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Hi,
I have a HP laptop running Windows 7 and ask for help in getting rid of Malware.

I have run Roguekiller several times, but the problem keeps returning.
I have read the article http://www.adlice.com/userland-rootkits-part-1-iat-hooks/ which I was direced to after one of the scans, but I am not a computer techie, and would like a simple laymans guide on how to get rid of this problem.

I have saved the last Roguekiller report if thats any help?  (see below)

Can someone please help me?
It would be much appreciated.
Thanks
Dave

RogueKiller V10.5.9.0 [Apr  7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dave [Administrator]
Started from : C:\Users\Dave\Desktop\RogueKiller.exe
Mode : Delete -- Date : 04/13/2015  11:51:23

Processes : 2
[Proc.Injected] iexplore.exe(8464) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Suspicious.Path] (SVC) RapportCerberus_43926 -- \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys[7] -> ERROR [41c]

Registry : 2
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Not loaded [0xc000036b])

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: Hitachi HTS547575A9E384 +++++
--- User ---
[MBR] 9c50ca4918e89af5c43423daea0b5f77
[BSP] 450a4243d6e193ea8fdc87af2a3def53 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04092015_172117.log - RKreport_DEL_04092015_172439.log - RKreport_SCN_04102015_000703.log - RKreport_DEL_04102015_002419.log
RKreport_SCN_04102015_152317.log - RKreport_DEL_04102015_153400.log - RKreport_SCN_04112015_003307.log - RKreport_DEL_04112015_003408.log
RKreport_SCN_04112015_113057.log - RKreport_DEL_04112015_113843.log - RKreport_DEL_04112015_113906.log - RKreport_SCN_04112015_121327.log
RKreport_DEL_04112015_123147.log - RKreport_SCN_04122015_085229.log - RKreport_DEL_04122015_085909.log - RKreport_SCN_04122015_092810.log
RKreport_SCN_04122015_203612.log - RKreport_SCN_04132015_002004.log - RKreport_DEL_04132015_083301.log - RKreport_SCN_04132015_091040.log
RKreport_DEL_04132015_091115.log - RKreport_SCN_04132015_115021.log
« Last Edit: April 13, 2015, 01:33:09 pm by 236dave »

Reply #1April 13, 2015, 06:13:27 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2437
  • Reputation:
    84
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #1 on: April 13, 2015, 06:13:27 pm »
Hi Dave,

Welcome to Adlice.com Forum.

The report you posted was generated with the 32 bits version of RogueKiller.
Please download RogueKiller (64 bits version), redo a full scan and post the report obtained in your next reply.

Regards.

Reply #2April 13, 2015, 07:35:45 pm

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #2 on: April 13, 2015, 07:35:45 pm »
Hi Curson,

Before seeing your reply I found this thread http://forum.adlice.com/index.php?topic=273.0 and downloaded Processhacker, where I terminated the iexplorer.exe process tree, which was giving the background iexplorer pages. Task manager shows that they are no longer running, for now anyway.

I then saw your reply and followed the instructions.
Here is the latest report run with Roguekiller(x64):
Hope you can help.
Thanks
Dave

RogueKiller V10.5.9.0 (x64) [Apr  7 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dave [Administrator]
Started from : C:\Users\Dave\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1TSJTDUW\RogueKillerX64.exe
Mode : Delete -- Date : 04/13/2015  18:22:16

Processes : 1
[Suspicious.Path] (SVC) RapportCerberus_43926 -- \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys[7] -> ERROR [41c]

Registry : 3
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\RapportCerberus_43926 (\??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\43926\RapportCerberus64_43926.sys) -> Deleted

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: Hitachi HTS547575A9E384 +++++
--- User ---
[MBR] 9c50ca4918e89af5c43423daea0b5f77
[BSP] 450a4243d6e193ea8fdc87af2a3def53 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 700789 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1435625472 | Size: 14312 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 1464936448 | Size: 102 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_04092015_172117.log - RKreport_DEL_04092015_172439.log - RKreport_SCN_04102015_000703.log - RKreport_DEL_04102015_002419.log
RKreport_SCN_04102015_152317.log - RKreport_DEL_04102015_153400.log - RKreport_SCN_04112015_003307.log - RKreport_DEL_04112015_003408.log
RKreport_SCN_04112015_113057.log - RKreport_DEL_04112015_113843.log - RKreport_DEL_04112015_113906.log - RKreport_SCN_04112015_121327.log
RKreport_DEL_04112015_123147.log - RKreport_SCN_04122015_085229.log - RKreport_DEL_04122015_085909.log - RKreport_SCN_04122015_092810.log
RKreport_SCN_04122015_203612.log - RKreport_SCN_04132015_002004.log - RKreport_DEL_04132015_083301.log - RKreport_SCN_04132015_091040.log
RKreport_DEL_04132015_091115.log - RKreport_SCN_04132015_115021.log - RKreport_DEL_04132015_115123.log - RKreport_SCN_04132015_181016.log

Reply #3April 13, 2015, 07:52:22 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2437
  • Reputation:
    84
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #3 on: April 13, 2015, 07:52:22 pm »
Hi Dave,

I believe the injection te be caused by RapportCerberus, a security program.
Could you please restart Internet Explorer and follow the following process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named iexplore.exe, right click select Create Dump > Create Full Dump...
  • Save the dump on your desktop, compress it and upload it on Google Drive/Dropbox.
  • Share the link in your next reply.
We will analyse what is really injected, and whitelist if needed.

Regards.

Reply #4April 13, 2015, 08:57:23 pm

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #4 on: April 13, 2015, 08:57:23 pm »
Hi Curson

Followed your instructions, and here here the link to the dump file.
https://drive.google.com/file/d/0B3HVkdtL-bK7NG1rSF9Nd1lQYlU/view?usp=sharing

Thanks
Dave

Reply #5April 13, 2015, 09:22:18 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2437
  • Reputation:
    84
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #5 on: April 13, 2015, 09:22:18 pm »
Hi Dave,

You dumped the process explorer.exe, not iexplorer.exe.
Could you please redo the dumping process?

Regards.

Reply #6April 14, 2015, 12:28:44 am

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #6 on: April 14, 2015, 12:28:44 am »
Hi Curson,

Sorry I'll try again.
I am now getting another iexplorer running in the background, it shows up in the Applications tab of task manager.
I have found two different instances of iexplore in procexp, so I have attched links to both, the 2nd one I renamed iexplore2:
https://drive.google.com/file/d/0B3HVkdtL-bK7WjVRTS13dFExYnM/view?usp=sharing
https://drive.google.com/file/d/0B3HVkdtL-bK7ZmZSbkljNE5fQUk/view?usp=sharing
Hope this helps.
Dave

Reply #7April 15, 2015, 12:51:49 am

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #7 on: April 15, 2015, 12:51:49 am »
Hi Curson,

Hope you get the chance to look at my previous post with the attachments.
Its now near bed time over here in the uk, but I will check in tomorrow after work.
All the best.
Dave

Reply #8April 15, 2015, 11:53:12 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2437
  • Reputation:
    84
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #8 on: April 15, 2015, 11:53:12 am »
Hi Dave,

Analysing the dumps will require some time.
I will keep you updated there.

Regards.

Reply #9April 15, 2015, 08:15:35 pm

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #9 on: April 15, 2015, 08:15:35 pm »
Thanks Curson!

Your help is much appreciated.

Dave

Reply #10April 21, 2015, 10:14:18 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2437
  • Reputation:
    84
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #10 on: April 21, 2015, 10:14:18 pm »
Hi Dave,

I analysed the dumps and found nothing malicious.
The injection will be whitlisted in RogueKiller as soon as possible.

Regards.

Reply #11April 22, 2015, 11:35:05 pm

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #11 on: April 22, 2015, 11:35:05 pm »
Hi Curson,
Good to hear there was nothing malicious found.
Excuse my ignorance, but am I right in thinking by whitelisting the injection, it will be automatically blocked by Roguekiller?

Thanks for your efforts, I would like to purchase your premium version.
Is it now safe to make the financial transaction on my laptop.
I have been reluctant to make any financial transactions with the problem Ive had.
Could you give an estimate of when the whitelist will be introduced.
Thanks
Dave

Reply #12April 23, 2015, 08:19:49 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2437
  • Reputation:
    84
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #12 on: April 23, 2015, 08:19:49 pm »
Hi Dave,

Quote from: 236dave
Good to hear there was nothing malicious found.
Excuse my ignorance, but am I right in thinking by whitelisting the injection, it will be automatically blocked by Roguekiller?
When the injection will be whitelisted, RogueKiller won't detect it anymore.

Quote from: 236dave
Thanks for your efforts, I would like to purchase your premium version.
Is it now safe to make the financial transaction on my laptop.
I have been reluctant to make any financial transactions with the problem Ive had.
I am pleased to hear that our product have been helpful to you. Thanks for supporting it. :)

Quote from: 236dave
Could you give an estimate of when the whitelist will be introduced.
I cannot give you a date for the time being but I will not fail to inform you when it's done.

Regards

Reply #13April 23, 2015, 08:56:12 pm

236dave

  • Newbie

  • Offline
  • *

  • 13
  • Reputation:
    0
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #13 on: April 23, 2015, 08:56:12 pm »
Hi Curson,
I'm a bit puzzled, how will whitelisting help?

I still have the original problem, where extra iexplorer pages (normally ads) are being opened up in the background, which slows up my laptop.

How do I get rid of this problem?
Thanks for helping.
Dave

Reply #14April 24, 2015, 08:56:13 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2437
  • Reputation:
    84
    • View Profile
Re: Proc Infected - iexplorer.exe - Keeps returning - Please Help!
« Reply #14 on: April 24, 2015, 08:56:13 am »
Hi Dave,

I'm sorry I had not realized that the problem was not solved.
We will investigate this more thoroughly.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also paste that along with the FRST.txt into your reply.
Regards.