[dmx434343]

Good day all.

I have the iexplore.exe virus. Symtoms i noticed were my computer going slow (only one month old) i checked task manager and noticed ieplore.exe was taking up 100,000 memory

Here are my logs, forgive me if i messed up

By the way i am running Windows Vista Home 64bit.

SuperAntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/27/2009 at 07:35 PM

Application Version : 4.25.1014

Core Rules Database Version : 3778
Trace Rules Database Version: 1737

Scan type : Complete Scan
Total Scan Time : 01:11:44

Memory items scanned : 379
Memory threats detected : 0
Registry items scanned : 5750
Registry threats detected : 0
File items scanned : 135820
File threats detected : 28

Adware.Tracking Cookie
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \in-touch_cellular@doubleclick[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \in-touch_cellular@insightexpressai[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \in-touch_cellular@mediaplex[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \in-touch_cellular@stats.adbrite[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \in-touch_cellular@tribalfusion[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@ad.yieldmanager[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@adopt.specificclick[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@ads.verticalscope[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@advertising[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@ar.atwola[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@ar.atwola[3].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@at.atwola[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@atdmt[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@atwola[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@bs.serving-sys[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@doubleclick[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@edge.ru4[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@insightexpressai[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@mediaplex[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@network.realmedia[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@realmedia[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@revsci[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@serving-sys[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@specificclick[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@specificmedia[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@tacoda[2].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@trafficmp[1].txt
C:\Users\In-Touch Cellular\AppData\Roaming\Microsoft\Windows\Cookies \Low\in-touch_cellular@tribalfusion[2].txt

Malware Log

Malwarebytes' Anti-Malware 1.34
Database version: 1811
Windows 6.0.6001 Service Pack 1

2/27/2009 6:08:59 PM
mbam-log-2009-02-27 (18-08-59).txt

Scan type: Quick Scan
Objects scanned: 52040
Time elapsed: 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoActiveDesktopChange s (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:02 PM, on 2/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files (x86)\Hewlett-Packard\KBD\kbd.exe
C:\Program Files (x86)\Microsoft Virtual PC\Virtual PC.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil9f.exe
C:\Program Files (x86)\Trend Micro\HijackThis\Juice.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu. exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStart Menu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ESDUSBMon.exe] C:\Windows\system32\ESDUSBMon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: PictureMover.lnk = C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD RAIDXpert (AMD_RAIDXpert) - AMD - C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\Windows\SYSTEM32\EpStsSrv.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files (x86)\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9564 bytes

[evilfantasy]

Welcome to CJ.

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
• Click Accept.
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
• In the File name area use KScan, or something similar.
• In Save as type: click the drop arrow and select: Text file [*.txt]
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[dmx434343]

Saturday, February 28, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, February 28, 2009 22:35:09
Records in database: 1856925
Scan settingsScan using the following databaseextendedScan archivesyesScan mail databasesyesScan areaMy ComputerC:\
D:\
E:\
G:\
H:\
I:\
J:\
K:\ Scan statisticsFiles scanned139464Threat name0Infected objects0Suspicious objects0Duration of the scan01:26:24
No malware has been detected. The scan area is clean.The selected area was scanned.

[evilfantasy]

This doesn't appear to be a malware issue.

I would recommend that you Defrag the computer.

You can use the built in Windows Defrag or a faster FREE program. Defraggler is very effective and easy to use. Be sure to clean out temp files and restart the computer just before using this.

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[dmx434343]

Thanks for the responce, but i am almost positive i have a virus because all my programs have become memory hogs and even when doing minimal things like browsing the web my computer slows to a crawl (Purchased last month, has 8gb ram)

I have taken a screen shot for you below.

What else can i do to figure if its malware. I will do the defrag as you 'Calibri','sans-serif']recommended but i would appreciate more assistance.

[evilfantasy]

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

[dmx434343]

thanks, i read your responce to other peoples problems and have been running the cureit for over an hour now will post results when done. appreciate the time you put into this.

[evilfantasy]

No problem. CureIt can take a long while so just let it run.

[dmx434343]

hmm cureit found nothing also. maybe my virus is just really good at hiding, or maybe i am just wrong? lol which is it?

[evilfantasy]

Since Kaspersky and Dr Web found nothing I'm pretty sure it isn't a malware issue.