New advertising malware?

[Juliet]

Process Explorer

• Please download Process Explorer and save the file to your Desktop.
• Right-Click ProcessExplorer.zip and click Extract All. Click Extract.
• Open the ProcessExplorer folder on your Desktop, right-click procexp.exe and click Run as administrator to run the programme
• Click View DLLs.
• If any of the following processes are highlighted in blue, click the process.
  Click File, Save As, and save the file in the same folder. Do so for each highlighted process.
  
  • Internet Explorer
  
  
• Attach the file(s) in your next reply.

[jhrowehl]

Let's see if we can remove IE plugin in Firefox and see if it makes a differnece. If it's there.

There was no IE plugin. I'll have to run Process Explorer tomorrow. Here's the results of the search:


Farbar Recovery Scan Tool (x64) Version: 25-02-2015 01
Ran by Henry at 2015-02-28 20:22:28
Running from C:\Users\Henry\Desktop
Boot Mode: Safe Mode (minimal)

================== Search Files: "iexplore.exe" =============

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1beb53526fc80c8d\iexplore.exe
[2010-11-20 22:25][2010-11-20 22:25] 0673040 ____A (Microsoft Corporation) C613E69C3B191BB02C7A191741A1D024 [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17633_none_854dedf9f74389b0\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:09] 0815288 ____A (Microsoft Corporation) 363BC25BACB34E9D40441968B1B3D5BE [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17501_none_8555ea97f73dee78\iexplore.exe
[2014-12-09 18:23][2014-11-26 20:10] 0815280 ____A (Microsoft Corporation) A24BFBAE8B50A6780B68FF3673FAB52F [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17420_none_8562d1dff733eb94\iexplore.exe
[2014-11-11 19:51][2014-11-07 14:23] 0815280 ____A (Microsoft Corporation) 591C6FD1541BAFAEEE82B1F5831C8532 [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17358_none_856fec69f729e8b0\iexplore.exe
[2014-11-01 10:56][2014-10-06 21:04] 0812736 ____A (Microsoft Corporation) F9F310F9FB7F294F00ABDD03453D8CEE [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17239_none_8578a4f9f723b3b2\iexplore.exe
[2014-11-01 10:55][2014-07-31 18:16] 0812224 ____A (Microsoft Corporation) CDF01A5C7927786A708EAEE91F14797B [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17207_none_8575d1abf726346b\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0812216 ____A (Microsoft Corporation) CD900EFB4F8946A2BB1950D9F45915C2 [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17041_none_858ffb5bf711c81f\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0811728 ____A (Microsoft Corporation) 0667ED9F8E905E1F73DB60ACCEDCBCA7 [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_856219b9f734bb75\iexplore.exe
[2014-10-26 18:17][2014-10-26 18:17] 0806096 ____A (Microsoft Corporation) C8A8321292A459B0A17FB39A782A5C74 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1196a9003b674a92\iexplore.exe
[2010-11-20 22:24][2010-11-20 22:24] 0695056 ____A (Microsoft Corporation) 86257731DDB311FBC283534CC0091634 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17633_none_7af943a7c2e2c7b5\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:47] 0813744 ____A (Microsoft Corporation) 2D4AB594AABBEBA938F36BA1BC71C3F6 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17501_none_7b014045c2dd2c7d\iexplore.exe
[2014-12-09 18:23][2014-11-26 20:43] 0813744 ____A (Microsoft Corporation) 2A9DA9E7462EBA3F6D2036E8D18FF773 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17420_none_7b0e278dc2d32999\iexplore.exe
[2014-11-11 19:51][2014-11-07 14:49] 0813744 ____A (Microsoft Corporation) F00FC8AF1B04C4611F92BC3DA01A2F49 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17358_none_7b1b4217c2c926b5\iexplore.exe
[2014-11-01 10:56][2014-10-06 21:54] 0810680 ____A (Microsoft Corporation) 6B9FDB34A5A490FF6A7EDE280062626A [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17239_none_7b23faa7c2c2f1b7\iexplore.exe
[2014-11-01 10:55][2014-07-31 18:41] 0810176 ____A (Microsoft Corporation) 31A7689F580F37B52F65B9653F8916D4 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17207_none_7b212759c2c57270\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0810160 ____A (Microsoft Corporation) 24868C9D422EDB5B249C0C81B01A0C19 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.17041_none_7b3b5109c2b10624\iexplore.exe
[2014-10-26 18:27][2014-10-26 18:27] 0809680 ____A (Microsoft Corporation) EA8386CA87165460D39A1D29FF11080B [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_7b0d6f67c2d3f97a\iexplore.exe
[2014-10-26 18:17][2014-10-26 18:17] 0804560 ____A (Microsoft Corporation) 0685765C0CBE095BA0C6C8790BAE21EF [File is signed]

C:\Windows\erdnt\cache86\iexplore.exe
[2015-02-25 09:11][2015-01-14 00:09] 0815288 ____A (Microsoft Corporation) 363BC25BACB34E9D40441968B1B3D5BE [File is signed]

C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows\iexplore.exe
[2015-01-03 09:26][2014-11-21 06:12] 0761656 ____A (MalwareBytes) 625BB08813743947985B0DEEFC35ED12 [File is signed]

C:\Program Files (x86)\Internet Explorer\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:09] 0815288 ____A (Microsoft Corporation) 363BC25BACB34E9D40441968B1B3D5BE [File is signed]

C:\Program Files\Internet Explorer\iexplore.exe
[2015-02-10 16:42][2015-01-14 00:47] 0813744 ____A (Microsoft Corporation) 2D4AB594AABBEBA938F36BA1BC71C3F6 [File is signed]

====== End Of Search ======

[Juliet]

ok
so far these are clean

[jhrowehl]

Process Explorer

• Please download Process Explorer and save the file to your Desktop.
• Right-Click ProcessExplorer.zip and click Extract All. Click Extract.
• Open the ProcessExplorer folder on your Desktop, right-click procexp.exe and click Run as administrator to run the programme
• Click View DLLs.
• If any of the following processes are highlighted in blue, click the process.
  Click File, Save As, and save the file in the same folder. Do so for each highlighted process.
  
  • Internet Explorer
  
  
• Attach the file(s) in your next reply.

I didn't have a 'view DLL's' option... but there was an option to show a lower pane. I used that. There were 3 instances of Iexplore running. 1 appeared to be a subprocess of Firefox (that's the '1a.txt' file). 1 appeared to be a main Internet Explorer process (.2a,txt' file) and 1 appeared to be a subprocess of Internet Explorer ('3a.txt' file).

[Juliet]

It's all legit.

I had another colleague step in and look over logs and the same remarks are as mine, the machine appears clean, it's unlikely caused by malware.

I cannot explain why all the IE processes are loading now that don't or didn't used to.

Use the computer for a while and let's see if any alerts or error messages come up.

Let's remove tools and quarantine folders.


DelFix

• Please download DelFix
  
  or from here http://www.bleepingcomputer.com/download/delfix/ and save the file to your Desktop.
  
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
  
  • Activate UAC
  • Remove disinfection tools
  • Reset system settings
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

[jhrowehl]

It's all legit.

I had another colleague step in and look over logs and the same remarks are as mine, the machine appears clean, it's unlikely caused by malware.

I cannot explain why all the IE processes are loading now that don't or didn't used to.

Use the computer for a while and let's see if any alerts or error messages come up.

I don't have any alerts or error messages, but I still have the rogue processes coming up occasionally. I was checking a few other forums, and I found one that described almost exactly what's happening here. The only differences are that I don't have the volume turned on, so I don't know if any audio is being downloaded, and I don't know if Google searches are redirecting, because Firefox now uses Yahoo. Here's the link to the forum message I'm referring to:

http://www.techspot.com/community/to...remove.174094/

[Juliet]

I know the tech that helped in that topic. His name is Broni, very dedicated hard working guy. Has helped many people.

One thing I picked up on is this topic was started Dec 1, 2011.

This User was alerted to Service (*** hidden *** ) [DISABLED] USBSTOR <-- ROOTKIT !!!
of which you didn't have but rather your machine had malware.

The only tool listed in that topic we haven't used is GMER. There were other rootkit scan ran but nothing was identified.

GMER

• Please download GMER and save the file to your Desktop.
• Right-Click the randomly named GMER file and select Run as administrator to run the programme.
• Note: If asked to allow gmer.sys driver to load, please consent.
• Important: If you receive a warning regarding Rootkit Activity, click NO.
• You will see the following window (click the image to enlarge):
  
  

• Referring to the image above, please ensure the following boxes are unchecked.
  
  • IAT/EAT
  • Drives/Partitions other than Systemdrive (typically C:\)
  • Show All (Important!)
  
  
• Click Scan.
• Upon completion, click [Save ...], and name the file, Gmer.txt.
• Save the file (GMER.txt) to a convenient location (eg. Desktop). Copy the contents of the log and paste in your next reply.

Important Note: Rootkit scans often produce false-positives. Do NOT take any action on, "<--- ROOTKIT" entries.


------------------------------------

If you would like to change Firefox search engine to Google, please read the below link.

https://support.google.com/websearch/answer/464?hl=en

[Juliet]

Also, please don't run the FixTDSS.exe from Symantec/Norton. A very many machines became unbootable after running that tool.

[jhrowehl]

I ran GMER, but I can't get the log file to you. The file is over 44K in length, which exceeds the 20,000 character length for the message. The upload manager is taking forever to upload it, like more than 10 minutes so far. I'll have to split it tomorrow and post it in several messages.

[Juliet]

OK, that should work.