iexplore.exe running each time I reboot/Please help

[peiraster]

Ried, I don't understand what you mean when you say:
"Since that file appears to have been on your system since 2004, I'd suggest proceeding with running Process Explorer, etc. "
Let me know, thanks.

[Ried]

We cross-posted again. Scroll up a bit.

[peiraster]

Ried, I read all your posts when I asked you, and I know you're referring to the file:
2004-08-04 00:56 1268049 ---h----- C:\WINDOWS\system32\Systemfiles\taskmgr.exe

but still, I don't understand what you mean or why you're asking me to run Process Explorer, etc again? And what do you mean by "etc"? Can you be specific? Sorry... :(

[Ried]

What I mean is that since that file appears to have been on your system since 2004, I doubt it is the source of this issue so please continue with my other suggestion regarding Process Explorer. Please refer to Post #53 for those instructions.

[peiraster]

Ok, but at the same time you're saying that we should wait for any malware report coming from the zip file I uploaded to the site you mentioned, right? (Eventhough I understand that you're placing low probability of any malware detected since the file has been since 2004 in my system?)

[Ried]

I'm sorry for the confusion...I was trying to anticipate your thought that perhaps that file is 'bad' due to my inquiry and subsequent request for the upload of that file. No decision will be made on whether that file is good or bad until he has time to inspect it.

So, yes--don't do anything with that file until I hear from him.

In the meantime, proceed with the remaining suggestion in Post #53

[peiraster]

ok, I'll do that, but at the same time I'm also starting to think that reinstalling Windows might be less time consuming than finding a solution to this. Just that I'm not placing much hope that uninstalling applications will solve this, eventually having to reinstall them again.
Anyway, which applications do you suggest to try uninstalling first? Adobe Acrobat 3D and Total Recorder?

[Ried]

Yes, I think reinstalling Windows would be the easiest solution.

Provided both of those programs are still listed under iexplore.exe in the Process Explorer, I'd uninstall Total Recorder first.

[Ried]

peiraster--that folder and the files within it, is the culprit. File dates are easily manipulated, which is why I stated that it appears to be from 2004.

Please do the following:

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

Folder::
C:\WINDOWS\system32\Systemfiles

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7AC5DF9C-0F1C-E2CB-6770-4B2C483A02CD}]

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Is iexplore.exe still running at boot up?

[peiraster]

Ried, yes iexplore.exe is still running at boot up, that is, the issue has not been resolved yet. As to the 2004 date, I freshly installed WinXP the last time in 2006 I think, so why is that file dated 2004? Also, when you say:"peiraster--that folder and the files within it, is the culprit." you mean to say that the issue prompting me to start this thread is caused by that folder and the files within it? In that folder I see a file "taskmgr.exe" dated 8/4/2004 and another one "klog.dat" dated 7/16/2007".
Regarding the combofix test you're requesting, you want me to submit the zip file to that website in addition to posting the log file here, or just post the log file? Let me know, thanks.

[Ried]

Quote:

As to the 2004 date, I freshly installed WinXP the last time in 2006 I think, so why is that file dated 2004?

Quote:

Originally Posted by Ried

File dates are easily manipulated, (by malware) which is why I stated that it appears to be from 2004.

When I said "that folder and the files in it are the culprit"--I am referring to the file you uploaded for inspection. Both files in the Systemfiles folder are malware related. The entire folder needs to be deleted since it was created by the malware as well. When you delete a folder, all files within it are deleted too.

Please just post the ComboFix.txt, no further uploads are needed at this time.

Also, run a new scan with SilentRunner and post that log in your next reply too.

[peiraster]

So you want me to go ahead and delete the hidden folder "C:\WINDOWS\system32\Systemfiles" ? Or should I first run the scans you're asking without deleting them?

[Ried]

The CFScript I gave you instructions for in Post #69 will do all that for you, as well as delete the registry entry and produce a resultant ComboFix.txt

After you've completed those particular set of instructions for running ComboFix, the scan with SilentRunner again and post that log in your next reply along with the C:\ComboFix.txt

[peiraster]

Ried, good news! I ran the combofix scan you requested. After completing that scan I rebooted in order to run the Silentrunner scan, but I checked with Task Manager that "iexplore.exe" was no longer running in the backgound! So I decided to post this news to you. Do you still want me to run Silentrunner? Is the issue solved? I am posting the combofix.txt log below, let me know, thanks.

"Dell" - 2007-07-16 16:37:00 - ComboFix 07-07-16.4 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Dell\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Dell\APPLIC~1.\addon.dat
C:\WINDOWS\system32\Systemfiles
C:\WINDOWS\system32\Systemfiles\klog.dat
C:\WINDOWS\system32\Systemfiles\taskmgr.exe


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 03:19 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-07-16 03:19 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-07-16 03:19 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-07-16 03:19 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-07-16 03:19 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-07-16 03:19 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-16 03:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-15 12:45 25,989,120 --a------ C:\DOCUME~1\Dell\ntuser.dat
2007-07-11 10:54 278,528 --a------ C:\WINDOWS\system32\livesnth.dll
2007-07-11 10:54 203,776 --a------ C:\WINDOWS\system32\clrviddc.dll
2007-07-11 10:42 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-11 01:46 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 18:49 <DIR> d-------- C:\Program Files\jv16 PowerTools 2007
2007-07-10 01:30 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\MainConcept
2007-07-06 00:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-05 06:48 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-05 03:27 <DIR> d-------- C:\Deckard
2007-07-02 19:39 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-07-02 19:39 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-07-02 18:57 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\Sunbelt Software
2007-07-01 20:30 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-01 20:29 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-01 20:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-01 16:32 75 -r-hs---- C:\WINDOWS\FFSSET.BIN
2007-07-01 16:29 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\PanoramaStudio
2007-07-01 16:28 <DIR> d-------- C:\Program Files\PanoramaStudio
2007-07-01 16:21 <DIR> d-------- C:\Program Files\Typhoon Software
2007-07-01 16:16 <DIR> d-------- C:\Program Files\Collectorz.com
2007-07-01 16:10 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-07-01 13:12 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-07-01 13:12 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-07-01 13:12 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-07-01 13:12 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-07-01 13:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-07-01 13:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-07-01 12:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-29 15:09 490,272 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-06-29 15:09 465,696 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-29 15:09 416,544 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-06-29 15:09 41,888 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-29 15:09 3,580,832 --a------ C:\WINDOWS\system32\drivers\lvuvc.sys
2007-06-29 15:09 22,560 --a------ C:\WINDOWS\system32\drivers\lvuvcflt.sys
2007-06-29 15:09 195,360 --a------ C:\WINDOWS\system32\lvci1100.dll
2007-06-29 15:09 15,558 --a------ C:\WINDOWS\system32\Repository.reg
2007-06-29 15:09 1,921,184 --a------ C:\WINDOWS\system32\drivers\lvpopflt.sys
2007-06-29 15:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\LogiShrd
2007-06-28 00:34 <DIR> d-------- C:\Program Files\Pando Networks
2007-06-28 00:31 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-06-27 19:48 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2007-06-25 20:24 10,395,648 --a------ C:\WINDOWS\The Spartans 3D Screensaver.scr
2007-06-25 20:20 10,395,648 --a------ C:\WINDOWS\system32\The Spartans 3D Screensaver.scr
2007-06-25 20:20 <DIR> d-------- C:\Program Files\The Spartans 3D Screensaver
2007-06-24 18:11 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\TERMINAL Studio
2007-06-24 18:07 11,755,520 --a------ C:\WINDOWS\system32\Wild West 3D Screensaver.scr
2007-06-24 15:07 <DIR> d-------- C:\Program Files\PhotoWatermark Professional 7
2007-06-24 15:02 <DIR> d-------- C:\Program Files\Carnival Software
2007-06-24 15:01 <DIR> d-------- C:\DOCUME~1\Dell\APPLIC~1\Carnival Software
2007-06-24 14:51 <DIR> d-------- C:\Program Files\Natura Sound Therapy v2.0
2007-06-24 14:48 <DIR> d-------- C:\Program Files\Forest Lake 3D Screensaver
2007-06-24 14:43 197,120 --a------ C:\WINDOWS\system32\3-D_Serengeti_Safari.scr
2007-06-24 14:43 <DIR> d-------- C:\WINDOWS\system32\3-D_Serengeti_Safari dir
2007-06-24 14:39 2,523,136 --a------ C:\WINDOWS\system32\3DFireworks.scr
2007-06-24 14:39 <DIR> d-------- C:\Program Files\WebAppstogo
2007-06-24 14:37 241,664 --a------ C:\WINDOWS\system32\Cape Hatteras Lighthouse.scr
2007-06-24 14:36 241,664 --a------ C:\WINDOWS\Cape Hatteras Lighthouse.scr
2007-06-24 14:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Softdisk LLC
2007-06-24 12:37 <DIR> d-------- C:\Program Files\Common Files\COWON
2007-06-20 13:33 532,480 --a------ C:\WINDOWS\system32\3-D_Ghost_Ship.scr
2007-06-20 13:33 <DIR> d-------- C:\WINDOWS\system32\3-D_Ghost_Ship dir
2007-06-20 13:30 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-06-16 19:11 2,106,368 --a------ C:\WINDOWS\radarss.scr
2007-06-16 19:09 2,106,368 --a------ C:\WINDOWS\system32\radarss.scr
2007-06-16 19:09 <DIR> d-------- C:\Program Files\Radar Screensaver


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-16 14:31:43 -------- d-----w C:\Program Files\Weather Watcher
2007-07-16 06:21:06 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-16 06:17:56 -------- d-----w C:\Program Files\Google
2007-07-16 04:45:44 -------- d-----w C:\Program Files\XoftSpySE
2007-07-15 17:42:40 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\uTorrent
2007-07-15 17:25:41 -------- d-----w C:\Program Files\FlashGet
2007-07-13 06:52:04 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_3672642.dnp
2007-07-13 06:51:07 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_8909030.dnp
2007-07-13 06:51:07 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_5446954.dnp
2007-07-13 06:51:07 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_430335.dnp
2007-07-13 06:51:07 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_182715.dnp
2007-07-13 06:51:07 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_1094619.dnp
2007-07-13 06:51:06 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_8491106.dnp
2007-07-13 06:51:06 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_338428.dnp
2007-07-13 06:51:06 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_1706982.dnp
2007-07-13 06:49:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_5359716.dnp
2007-07-13 06:47:52 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_8301680.dnp
2007-07-13 06:47:51 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_8886405.dnp
2007-07-13 06:47:51 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_3984932.dnp
2007-07-13 06:47:51 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_2367098.dnp
2007-07-13 06:47:51 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_2242142.dnp
2007-07-13 06:47:50 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_9798824.dnp
2007-07-13 06:47:50 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_1130339.dnp
2007-07-13 06:47:49 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item2-7-13-2007_3-45-8_8430535.dnp
2007-07-11 23:05:59 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\ATI MMC
2007-07-11 13:43:52 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Real
2007-07-11 13:42:31 -------- d-----w C:\Program Files\Common Files\Real
2007-07-11 06:26:05 -------- d-----w C:\Program Files\Norton Internet Security
2007-07-10 19:14:54 -------- d-----w C:\Program Files\SUPERAntiSpyware
2007-07-10 04:46:37 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-07-10 04:46:37 205 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-07-04 04:49:05 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_3114922.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_9126149.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_7693010.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_7234634.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_5297240.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_5283812.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_2701820.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_2070685.dnp
2007-07-04 04:48:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_1745298.dnp
2007-07-04 04:47:08 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_6962336.dnp
2007-07-04 04:45:41 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_6884999.dnp
2007-07-04 04:45:40 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_716938.dnp
2007-07-04 04:45:40 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_6086646.dnp
2007-07-04 04:45:40 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_3835270.dnp
2007-07-04 04:45:40 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_3751130.dnp
2007-07-04 04:45:40 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_1494708.dnp
2007-07-04 04:45:39 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_9336971.dnp
2007-07-04 04:45:39 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-4-2007_1-44-14_2992764.dnp
2007-07-03 06:22:21 -------- d-----w C:\Program Files\Starry Night Pro Plus 6
2007-07-03 04:49:58 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-03 04:01:18 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_5987970.dnp
2007-07-03 04:00:29 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_7730245.dnp
2007-07-03 04:00:29 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_3044789.dnp
2007-07-03 04:00:29 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_1022807.dnp
2007-07-03 04:00:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_9654973.dnp
2007-07-03 04:00:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_7832210.dnp
2007-07-03 04:00:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_4845474.dnp
2007-07-03 04:00:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_444173.dnp
2007-07-03 04:00:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_1889346.dnp
2007-07-03 03:59:17 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_7655791.dnp
2007-07-03 03:57:49 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_7318080.dnp
2007-07-03 03:57:49 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_4696700.dnp
2007-07-03 03:57:49 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_1874474.dnp
2007-07-03 03:57:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_9136477.dnp
2007-07-03 03:57:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_7954858.dnp
2007-07-03 03:57:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_7643432.dnp
2007-07-03 03:57:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_372465.dnp
2007-07-03 03:57:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-56-20_1463072.dnp
2007-07-03 03:48:54 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_6718591.dnp
2007-07-03 03:48:04 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_6261425.dnp
2007-07-03 03:48:03 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_9075475.dnp
2007-07-03 03:48:03 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_8306520.dnp
2007-07-03 03:48:03 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_6256320.dnp
2007-07-03 03:48:03 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_3971231.dnp
2007-07-03 03:48:03 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_3166174.dnp
2007-07-03 03:48:03 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_2092381.dnp
2007-07-03 03:48:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_9355214.dnp
2007-07-03 03:47:03 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_8208400.dnp
2007-07-03 03:45:30 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_4433864.dnp
2007-07-03 03:45:29 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_3041705.dnp
2007-07-03 03:45:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_8804206.dnp
2007-07-03 03:45:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_51897.dnp
2007-07-03 03:45:28 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_2547625.dnp
2007-07-03 03:45:27 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_7967900.dnp
2007-07-03 03:45:27 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_703822.dnp
2007-07-03 03:45:27 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item3-7-3-2007_0-43-56_3612644.dnp
2007-07-03 03:34:10 -------- d-----w C:\Program Files\TrojanHunter 4.6
2007-07-01 23:30:48 -------- d-----w C:\Program Files\iTunes
2007-07-01 23:30:41 -------- d-----w C:\Program Files\iPod
2007-07-01 19:33:49 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Reallusion
2007-07-01 19:32:27 -------- d-----w C:\Program Files\Reallusion
2007-07-01 19:23:44 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Skype
2007-07-01 16:12:40 -------- d-----w C:\Program Files\Webroot
2007-07-01 16:11:49 -------- d-----w C:\DOCUME~1\Dell\APPLIC~1\Webroot
2007-07-01 15:56:45 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-29 18:48:03 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-06-29 18:11:03 -------- d-----w C:\Program Files\Common Files\LogiShrd
2007-06-29 18:08:19 -------- d-----w C:\Program Files\Logitech
2007-06-28 17:00:29 -------- d-----w C:\Program Files\eMule
2007-02-27 04:33:34 56 --sh--r C:\WINDOWS\system32\9E16596497.sys
2007-03-10 12:49:54 8 --sh--r C:\WINDOWS\system32\D624CD96E0.sys
2007-02-27 22:00:16 88 --sh--r C:\WINDOWS\system32\E096CD24D6.sys
2007-03-10 12:49:54 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
2007-05-01 11:11 63048 --a------ C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07A11D74-9D25-4fea-A833-8B0D76A5577A}]
2007-05-18 00:05 71184 -ra------ C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
2007-06-08 15:18 976424 --a------ C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]
2007-05-16 06:03 94308 --a------ C:\Program Files\FlashGet\jccatch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4401FDC3-7996-4774-8D2B-C1AE9CD6CC25}]
2000-08-21 12:39 61440 --a------ C:\Program Files\E-Book Systems\FlipAlbum 6 Pro\FpLaunch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
2007-05-27 04:01 5600312 --a------ C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
2004-08-30 23:29 103568 --a------ C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2007-05-10 22:47 321120 --a------ C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-07-16 03:17 324536 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
2005-10-19 12:54 218736 --a------ C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F156768E-81EF-470C-9057-481BA8380DBA}]
2007-05-16 02:05 163840 --a------ C:\Program Files\FlashGet\getflash.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"LTWinModem1"="ltmsg.exe" [2001-04-03 10:38 C:\WINDOWS\system32\ltmsg.exe]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-04-03 21:23]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-06-25 12:17]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"pdfSaver3"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" []
"@"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"="C:\Program Files\WinFax\WfxSeh32.Dll" [1998-07-27 04:54]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"="C:\Program Files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2007-03-29 15:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=acaptuser32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-07-05 09:51:52 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1017 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 16:45:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 16:47:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 16:47

--- E O F ---

[Ried]

That is good news.

No, there is no need for Silent Runner log now.

Use the computer for a day or so, and let me know how it is behaving.

[peiraster]

Ried tell me, because I want to know...what was the cause of the problem? If it was not malware (we ran several tests and discarded malware), then what was it? Can you explain? Thanks

[peiraster]

I forgot to add that I did not uninstall any application as you suggested (Total Recorder, etc). The issue was fixed by just running Combofix the way you described.

[Ried]

Hi peiraster,

Yes--it was malware that caused your issue.

Quote:

we ran several tests and discarded malware

In the beginning stages, yes, malware was put aside as the reason, because all of the standard scans were not revealing anything. I spotted an entry in Silent Runners log that did raise a question in my mind, but I thought the file was missing and it was merely an orphaned registry entry since I did not see the file listed out in the main.txt as arriving on your system in the past 3 months. (which included the time frame in which you first began experiencing your symptoms.)

After you restored to April and the problem was still there, I began to suspect that the file date had been manipulated by the malware that placed it there--so I had you look for that folder and tell me if it was on your system. I then had you upload that file for inspection.

[peiraster]

Ried, so then the question is: what type of malware was it? (trojan, spyware, rootkit, etc) And what was its effect on my system? (I did not notice anything, my system was stable and performing normally once I ended iexplore.exe after boot up). And also, is it frequent that a malware is so stealthy? I mean Kasperksi, Norton, Spyware Doctor, Webroot Spysweeper, Spybot, Xoftspy, Nod32, Super Antispyware, Adaware...none of them detected anything!
By the way, I just rebooted again and iexplore.exe did not show up, so it seems the issue is resolved so far.

[Ried]

It was a variant of the bifrose trojan. I do not know which one, and since you wisely ended task on it every time it came up, it's difficult to say exactly how much personal information has been compromised.

I highly recommend changing any login info, passwords, etc, now that the trojan is gone. If you conducted any online banking during the time these sypmtoms were on-going, it would also be wise to contact your financial institutions to apprise them of your situation and keep an eye on the account for unauthorized use.