Infected with Hook.IEAT. Eating all memory. Please help.

[bentzon]

Hello!

I've got some kind of infection that eats away at my pc's resources in the form of iexplore.exe processes running in the background.
The processes start slowly but suddenly it drain all my memory and use a lot of processing power.
It even show up in the Task Manager application tab as Internet explorer windows with different website names on it.

I've tried to run some different removal programmes but so far nothing helps. Only thing that has found it so far is Roguekiller.

Attaching a print of the Roguekiller window with the processes shown.

[Curson]

Hi bentzon,

Welcome to Adlice.com Forum.
Could you please copy/paste full RogueKiller TXT report in your next reply ?

Regards.

[bentzon]

Cheers!

Here is the latest Roguekiller log.

RogueKiller V10.10.1.0 (x64) [Aug 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Jacobens [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 08/19/2015 13:15:23

¤¤¤ Processes : 2 ¤¤¤
[Proc.Injected] iexplore.exe(5428) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]
[Proc.Injected] iexplore.exe(3452) -- C:\Program Files\Internet Explorer\iexplore.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5518317A-09C5-47FF-8CEC-F6D8077EA3DB} | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5518317A-09C5-47FF-8CEC-F6D8077EA3DB} | DhcpNameServer : 83.255.245.11 193.150.193.150 ([-][EUROPEAN UNION (EU)])  -> Not selected
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1   localhost

¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW : Unknown @ 0x56792b2 (jmp 0x90018275|call 0x306c)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ LPK.dll) user32.DLL - MessageBeep : Unknown @ 0x567ac9d (jmp 0x8e60ec67)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ IMM32.DLL) user32.DLL - SetWindowPos : Unknown @ 0x56792eb (jmp 0x8e62049d|call 0x3070|jmp 0x25)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ IMM32.DLL) user32.DLL - ShowWindow : Unknown @ 0x5679330 (jmp 0x8e618535|call 0x302b|jmp 0x25)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ shell32.DLL) user32.DLL - SetForegroundWindow : Unknown @ 0x56792e6 (jmp 0x8e5fa176|call 0x3070|jmp 0x25)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ CLBCatQ.DLL) advapi32.DLL - RegQueryValueExW : Unknown @ 0x567a963 (jmp 0x8fcc634e)
[IAT:Inl(Hook.IEAT)] (iexplore.exe @ Flash32_18_0_0_232.ocx) winmm.dll - waveOutWrite : Unknown @ 0x567acaf (jmp 0x90845d34|jmp 0xd6|call 0xfffe724f)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM003-1CH162 ATA Device +++++
--- User ---
[MBR] fa43237d720c81fcddb62387a135d2c8
[BSP] 3b5745a6888676fcf126c62d9d6cf5b4 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: ST31500341AS ATA Device +++++
--- User ---
[MBR] d2f672e1decfd1aecee5935fdc15d6b4
[BSP] ab88def906e35d777a66520bcfeb76f2 : HP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430797 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: WDC WD1500AHFD-00RAR5 ATA Device +++++
--- User ---
[MBR] 66d369bc063226dd0262422cd7910bea
[BSP] fb3b3a56cba24c34b05339176b740eef : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 142987 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive3: HP DPF USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: HP DPF USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: HP DPF USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

[Curson]

Hi bentzon,

Your computer is probably infected. Please follow the following process.

• Restart your computer.
• Download Process Explorer and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named iexplore.exe, right click select Create Dump > Create Full Dump...
  
• Save the dump on your desktop, compress it and upload it using Adlice Upload.
  

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also paste that along with the FRST.txt into your reply.
  

Regards.

[bentzon]

Had to wait a while before the process started running after I restarted the computer but here it is.

Too much text so I used pastebin since it wouldn't fit in the reply. I hope that works out?

FRST.txt

http://pastebin.com/1zZ08i9x

Addition.txt

http://pastebin.com/HbYwSHVC

/ Jacob

[Curson]

Hi Jacob,

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is the computer running ?

Regards.