GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


descriptionexplorer.exe using 100% cpu Emptyexplorer.exe using 100% cpu

more_horiz
My wife opened a message from the fake whatsapp voice message service 3 days ago. I ran avira, adaware, adwcleaner, and malewarebytes, and some security program that MS said would fix the problem. Yesterday the process running was vyyxab.exe and after running malewarebytes it has now changed to explorer.exe, or they were both there and separate viruses. I found the log file from adwcleaner, but when I go to where malewarebytes says the log file is I can't find it.

I am attaching the adwcleaners first log since it won't let me post it on here.
I found the mbam log but it's xml and can't be attached.

I will try to find the log from malewarebytes, the first run I did in normal mode and it took nearly 3 hours, and didn't fix the problem, but did remove 150. The second time I ran it in safe mode and it removed another 109. I am leaving it in safe mode and doing this on my Mac, hopefully this thing doesn't spread through usb drives when transferring the logs.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.  

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Remove the Adware:

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

*********************************************
Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************
Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

descriptionexplorer.exe using 100% cpu EmptyRunning

more_horiz
Profile name : default-1395609776932 [Profil par défaut]
File : C:\Users\b\AppData\Roaming\Mozilla\Firefox\Profiles\5bdh1le6.default-1395609776932\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Users\Mario\AppData\Roaming\Mozilla\Firefox\Profiles\gmdjriqc.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v33.0.1750.154

File : C:\Users\b\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [4556 octets] - [23/03/2014 19:16:02]
AdwCleaner[S1].txt - [3589 octets] - [23/03/2014 19:16:48]
AdwCleaner[R2].txt - [1407 octets] - [23/03/2014 19:39:45]
AdwCleaner[R3].txt - [1467 octets] - [23/03/2014 19:41:20]
AdwCleaner[S2].txt - [1531 octets] - [23/03/2014 19:41:39]
AdwCleaner[R4].txt - [1463 octets] - [24/03/2014 14:57:08]
AdwCleaner[S3].txt - [1523 octets] - [24/03/2014 14:57:40]
AdwCleaner[R5].txt - [2209 octets] - [24/03/2014 16:58:46]
AdwCleaner[S4].txt - [2283 octets] - [24/03/2014 16:59:46]
AdwCleaner[R6].txt - [1713 octets] - [25/03/2014 11:18:37]
AdwCleaner[R7].txt - [1773 octets] - [25/03/2014 13:14:01]
AdwCleaner[S5].txt - [1704 octets] - [25/03/2014 13:14:23]

########## EOF - C:\AdwCleaner[S5].txt - [1832 octets] ##########



JRT would not run so I went on to the next:

Results of screen317's Security Check version 0.99.81
x64
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Ad-Aware Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 51
Java(TM) 6 Update 3
Java version out of Date!
Adobe Flash Player 12.0.0.77
Google Chrome 33.0.1750.146
Google Chrome 33.0.1750.154
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

descriptionexplorer.exe using 100% cpu EmptyTHis is after running mbar RootKit

more_horiz
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009

(c) Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x64

System is currently in a safe mode

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3183779840, free: 1975422976

Downloaded database version: v2014.03.25.06
Downloaded database version: v2014.03.18.01
Initializing...
=======================================
------------ Kernel report ------------
03/25/2014 13:39:42
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\spnx.sys
\SystemRoot\System32\Drivers\WMILIB.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\AsDsm.sys
\SystemRoot\system32\DRIVERS\lullaby.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\L1E60x64.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbfiltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\ETD.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\ATK64AMD.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\??\c:\program files\lavasoft\ad-aware antivirus\firewall engine\1.6.0.0\drivers\bdfndisf6.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\??\C:\Program Files\Lavasoft\Ad-Aware Antivirus\Firewall Engine\1.6.0.0\Drivers\bdftdif.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\framebuf.dll
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80035f74c0
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa80033d2060
Lower Device Driver Name: \Driver\atapi\
IRP handler 0 of \Driver\atapi points to an unknown module
Unhooking enabled.
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80035f74c0
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xfffffa80033d2060
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
Initialization returned 0x0
Port sub-driver loaded: \??\C:\Windows\System32\drivers\ataport.sys (0x0)
Load Function returned 0x0
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80035f74c0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80035f8b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80035f74c0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xfffffa8003345270, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80033d2060, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0xfffff880154f9720, 0xfffffa80035f74c0, 0xfffffa8005f48790
Lower DeviceData: 0xfffff88010d4f480, 0xfffffa80033d2060, 0xfffffa8005ef8080
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
File user open failed: C:\WINDOWS\SYSTEM32\drivers\sptd.sys (0x00000020)
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D6811D82

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 625137664
Partition file system is NTFS
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Sectors 1 - 94 --> [Forged physical sectors]
Sectors 211 - 550 --> [Forged physical sectors]
Done!
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_0a08805d.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_162d1dab.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_1aa89991.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_a3f07173.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_b09cdcaf.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_ec6f43a1.exe --> [Spyware.Zbot]
Infected: C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_f72e80b1.exe --> [Spyware.Zbot]
Scan finished
Creating System Restore point...
Could not create restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-1-u.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-1-k.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-211-u.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-211-k.mbam...
Removal finished


Database version: v2014.03.25.06

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
b :: B-PC [administrator]

3/25/2014 1:39:49 PM
mbar-log-2014-03-25 (13-39-49).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 319438
Time elapsed: 37 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_0a08805d.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_162d1dab.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_1aa89991.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_a3f07173.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_b09cdcaf.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_ec6f43a1.exe (Spyware.Zbot) -> Delete on reboot.
C:\Users\b\AppData\Local\Temp\UpdateFlashPlayer_f72e80b1.exe (Spyware.Zbot) -> Delete on reboot.

Physical Sectors Detected: 2
Physical Sector #1 on Drive #0 (Forged physical sector) -> Replace on reboot.
Physical Sector #211 on Drive #0 (Forged physical sector) -> Replace on reboot.

(end)

I have the second one running now in safe mode because the explorer.exe was very persistent during the entire process, but only attacks when on a network.

descriptionexplorer.exe using 100% cpu EmptyFinished all of the tests.

more_horiz
So I finished the tests, and I ran the fixtools that came with the last one hoping that it would fix the security but doesn't seem to have worked. After rebooting into safe mode with network the virus still came back so I rebooted it back into safe mode and put it to sleep until I get my next step of directions. I saw that java is out of date, and was going to fix that but then remembered that I am supposed to do things as instructed. Sorta sad though, I have an AAS degree in programming with Java as my main language. But it is my wifes computer, I hate MS.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
The reason why it's show out-of-date is because there's an older version there. You can uninstall Java(TM) 6 Update 3
Keep trying to run JRT.


Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

  • Close any open windows and double click ComboFix.exe to run it.

    You will see the following image:

explorer.exe using 100% cpu NSIS_disclaimer_ENG

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

explorer.exe using 100% cpu NSIS_extraction

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

explorer.exe using 100% cpu RcAuto1

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

explorer.exe using 100% cpu Whatnext

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Tried to run JRT and the box to run showed this time, but when I click run you see a box open and close then nothing. So I am running combofix now. I'm hoping I didn't do something wrong because Ad-aware is not responding when trying to shut it down, it says no service available, so I went into the task manager and ended it's process there. Combofix says it's still running so I tried to uninstall but combofix took over and shut down all other windows and ran anyway.

Last edited by ripper1028 on 26th March 2014, 2:31 pm; edited 1 time in total (Reason for editing : Can't paste combo's Log so attaching it.)

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I couldn't paste combfix.txt, I keep getting you can't post emails or links. I removed all of the @ symbols and tried again and still got the error so I removed the only links that I could find and still got the error.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.

Re-running ComboFix to remove infections:


  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    KillAll::

    DDS::
    Trusted Zone: engdis.com

    Firefox::
    Trusted Zone: engdis.com


  • Save this as CFScript.txt, in the same location as ComboFix.exe

    explorer.exe using 100% cpu Cfscriptb4

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • I don't need to see the log from this action.

*********************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the explorer.exe using 100% cpu EsetOnline button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on explorer.exe using 100% cpu EsetSmartInstall to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the explorer.exe using 100% cpu EsetSmartInstallDesktopIcon-1 icon on your desktop.

•Check explorer.exe using 100% cpu EsetAcceptTerms
•Click the explorer.exe using 100% cpu EsetStart button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check explorer.exe using 100% cpu EsetScanArchives
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push explorer.exe using 100% cpu EsetListThreats
•Push explorer.exe using 100% cpu EsetExport, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the explorer.exe using 100% cpu EsetBack button.
•Push explorer.exe using 100% cpu EsetFinish
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I ran the combofix with the added script file, but when I ran the other online scan it got to 68 percent and just stayed there for almost an hour before I gave up and shut it down. I ran it in the normal booted up OS. Should i try it in safe mode with networks? When I opened the task manager there were 8 explorer.exe with 100% CPU and 97% of the memory taken. Ironically at 68% through it hadn't found any malware yet.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
So SuperDave, 4 days and 15 cleaner programs later and I don't see an end in sight. I am shopping around for a good Linux OS. It will be sad to lose my wife's Office suite because she is learning how to use it from one of my school books, but to not have to go through this it's worth it. I sure do appreciate your time and effort, and have much respect for someone that can deal with this garbage day in and day out. It sure makes me wonder why people use Microsoft at all. 8 years using a Mac and never having anti anything, but 4 years with MS with antivirus and here I am. The first one I removed myself, but this one is way beyond my knowledge. I guess if the market was different the ignorant creators of these things would find a way, but I don't think they would ever be as bad as they are on a Gates machine. And my professor asked me why I don't want to learn .Net, because I don't want to use windows silly professor.

So my question is, IF I can get this virus off my windows machine, will it ever run the same again. It just took me 11 hours to save my pictures and videos, way too long, but from what I have read about these viruses it seems like there are going to be many side effects even after removal. I don't know if I have a restore disc anymore, I lost a lot of stuff in a tornado in 2011, so I don't think I can just wipe it and reinstall vista.

My other question is the stuff that I am putting on my external drive, is it going to bring the virus with it?

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
IF I can get this virus off my windows machine, will it ever run the same again. It just took me 11 hours to save my pictures and videos, way too long, but from what I have read about these viruses it seems like there are going to be many side effects even after removal.

Yes, if we can get it cleaned it should be the same with no side effects.
My other question is the stuff that I am putting on my external drive, is it going to bring the virus with it?.

Not likely but they should be scanned your your AV and MBAM before putting them back on the computer.

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

Last edited by Superdave on 27th March 2014, 7:33 pm; edited 1 time in total

descriptionexplorer.exe using 100% cpu Emptyheres the report

more_horiz
Here is the report

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
P2P - I see you have P2P software installed on your machine. (Ares) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
This is how your computer was most likely infected.
When I opened the task manager there were 8 explorer.exe with 100% CPU and 97% of the memory taken.

The next time this happens try closing all but one of them, one at a time and let me know what's happening.

Run the BitDefender Online scanner

Agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I appreciate you pointing this out to me. I don't know if this came installed on my computer or if one of us installed it. As far as I know no one uses it, at least we don't do any file sharing, just streaming sometimes. I will get rid of it, and run bitdefender. The only way I have been able to get any of these to run not in safe mode is to sit in front of the computer and close the explorer.exe as they appear. Once I let more than 3 or 4 run the computer just freezes and the scanner fights to get 1% of the cpu. That was what happened last night with the online scanner. It wouldn't let me keep the task manager opened, and then the whole thing just stopped working. I believe that this virus multiplies itself. The first time I ran the malewarebytes it removed 150 files running in normal mode and the scan took 3 hours. So the next time I ran it in safe mode and it took 23 minutes and removed 109. The next day was when I realized that it was still there and contacted you.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
So, I ran bitdefender and my computer is CLEAN. How can that be? I did have the task manager open to watch and nothing happened.

Riddle me this, I burned a copy of Xubuntu and ran the tryme version that boots from the disk to see if my wife would be ok with it. When I rebooted the computer to do this scan it booted into something I've never seen and asked me if I want to resume booting from some point for boot or delete restore and go back to system restore. I picked the second hoping I didn't guess wrong and it seems to be fine now. That is very strange.

Also, I can't find what you were talking about Ares, my computer is an Asus and there are a bunch of Asus programs.

Do you have any free antivirus programs that you recommend. We had Norton when we bought this thing but it made the whole system run slow, and then the last 3 months of our subscription it would send a popup every 5 minutes to tell us to renew, so we didn't. We had Avira on here when this happened, and it seemed ok, but not good enough to stop this.


OH YEAH, And thank you sooooo MUCH!!! You really are SUPER.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Never mind, bit defender just doesn't see it, it is happening right now and I reran bitdefender and it still says it's clean.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Can you please update and run MBAM in Normal mode, if possible?

Do you have any external storage devices plugged into that computer?
Are there any accounts on this computer?


Download Windows Repair (all in one) from this site
Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

explorer.exe using 100% cpu P22001645_zpsbdf6bc2c

Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

explorer.exe using 100% cpu P22001646_zps9085a83b

Go to Step 4 and under "System Restore" click on Create button:

explorer.exe using 100% cpu P22001644_zpsc3ec1267

Go to Start Repairs tab and click Start button.

explorer.exe using 100% cpu P22001166_zpsc22a3285

Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

explorer.exe using 100% cpu P22001647_zpsfe785392

Click on box next to the Restart System when Finished. Then click on Start.
*********************************************
Please try clean boot to see if that makes any difference.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) MicroSoft Security Essentials All versions and all languages.
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
So I ran mbam in normal mode but it froze up so I opened the task manager and when it finally opened there were 7 explorer.exe's running and 100% cpu and 99% of the memory. After getting a few of them deleted the scan finished and the computer was CLEAN?! according to them. I then ran the other tool which took a few hours and it says it fixed several things but also said there are things that it couldn't fix and it is in the log that I haven't looked at yet. I have not tried the clean boot yet because I was running the others until 1am and had to go to work today. Do you want me to attach the log from the last tool I ran?

No accounts on the computer, and no storage devices. I had one attached just to back up some of my photos in case I lose windows and have to get some linux distro.

Last edited by ripper1028 on 29th March 2014, 9:26 pm; edited 1 time in total (Reason for editing : forgot to answer questions.)

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Yes, I would like to see that log.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I am sorry Dave, I have been trying to find the log for an hour and I have no Idea where it was saved. If you have any idea that would be helpful.

descriptionexplorer.exe using 100% cpu EmptyFound Logs

more_horiz
I opened the program again and found where to look in the settings. There are several files though, so I am going to attach a zip folder with all the .txt files from last night.

I went through some of it, and I also found a windows log while searching. The windows log had warnings starting on the 23rd about a proxy, but most of the rest I didn't understand. These logs from last night showed a bunch of registry key warnings but that was all i really got out of it.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Download this file: ZbotKiller.zip

Save it to your Desktop. Right-click on it, and click Extract All...

Follow the prompts to get it saved to your Desktop.

There should be a new folder called ZBOTKiller on your Desktop that is not zipped.

Then, open Notepad and enter in the following:

Code:

zbotkiller.exe -y -l report.txt -v


Then, click File > Save as...

In the file name box, enter in zbotkiller.bat

Choose Save as type... All Files.

The location will be the new ZBOTKiller folder located on your Desktop.

Once you have it saved correctly, exit Notepad.

Go to the new ZBOTKiller folder and double-click on ZBOTKiller.bat

It will create a log. Please post the log in your next reply.

descriptionexplorer.exe using 100% cpu Emptylog is too long

more_horiz
I tried to break it up in half and then quarters and then thought maybe I will just attach it.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Any change?

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I don't know for sure. I haven't seen the explorer.exe multiplying like it was, but I downloaded Avast free adition and installed it since I uninstalled Avira because I couldn't turn it off and the scans I was running were complaining.

So I know I'm only supposed to do what you tell me, but you did say I need to have an antivirus, so when I installed Avast it doesn't even ask it just runs a scan. When it finished it asked what to do with the corrupt or infected files and I said fix or send to chest. But while it was fixing it I got oh maybe 165 little boxes that says Threat Detected
url//mini-max/b/opt/thensomething that looks like a sessionID
And it says it's comming from explorer.exe

there were other urls I didn't write them all down yet that was just the last one that I saw, the first one was vine-ripe.com/b/opt/ID

After Avast restarted the computer it ran a system scan that took like 5 hours and it then asked me the same question and I picked the same solution, if you can't fix then send to chest. When the computer did finally start it is giving me the same alerts.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Ok, download and install MSE from MS and try running a scan with that AV and we'll see what turns up.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Avast actually just found Boot:Cidox-A, and it says severe by it. When I tried to move to the chest it says action not supported.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Let's see what MSE does with it.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I am going to have to wait on it, I left the window open on Avast to wait for your next response and when I went back there was a new window that said it recommend removing it immediately and rerunning the system scan to make sure it was removed. It took a few hours the first time, so when it is finished if it is still giving me the alerts I will try it.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
After everything finished last night the threat was still coming up, so I downloaded MSE and turned off all active monitoring with Avast and installed MSE. It got through the install process and I got into the security center and turned everything on and it said that my MSE was outdated and recommended that I update it? So I hit update and I guess it was getting all the new definitions and about 5 minutes later the computer crashed. The screen turned black and a message came up that said explorer.exe was not running restart or go online to find a solution. I restarted and tried to get back in to try to fix things but I seemed to have pissed off this virus because it is multiplying in my task manager at a more rapid pace than before. I didn't have time to play with it this morning because I have to go work. I did see other manual removal procedures online when I was trying to find out more about this virus, most said try at your own risk though.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I did see other manual removal procedures online when I was trying to find out more about this virus, most said try at your own risk though..

Most of those other removal procedures involves download another tool which will probably more matters worse.

Download OTL to your desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* When the window appears, underneath Output at the top change it to Minimal Output.
* Check the boxes beside LOP Check and Purity Check.
* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy and pate the contents of these files, one at a time, into your next reply.

Note: You may need two or more posts to fit them all in.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
When you say uninterrupted do you mean don't touch the computer, or I should stop the process of the extra .exe's that crash the computer. When I had Avast running it blocked the exe's but MSE doesn't do anything. I didn't see where your turn off MSE so that I can turn Avast back on. Sorry, I don't know Windows very well, I've been on a Mac for 8 years.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
SuperDave, I tried running that program last night without interrupting and after 4 hours I shut it down, and then I did the unthinkable. I broke our agreement, well not immediately after, first I tried running mbar again since Avast was recognizing it, and it did say there were 2 sector problems but after clean up it was still the same. Then the unthinkable, I down loaded tdsskiller and ran it, and it took 59 seconds to run and find the problem and about the same to delete it. It then restarted the computer and ran a system scan and came back clean. Funny thing though, after it was done MSE recognized this program as a virus and recommended I remove it immediately. So I either made things much worse, or MSE only recognizes cures as a virus. Either way, the exe has not multiplied, I turned Avast back on and it hasn't had an alert, and I am now rerunning the Tweaking fixit tool to fix my registry again. I am sorry if this is disappointing or if I wasted your time, but it's been 8 days of sharing my computer with my wife and it was either that or divorce. Not really, I was going to replace windows with some Linux system, but thank you again for all of your effort, and if you know anything bad that I did I would love to hear back, or if you didn't know about this other program and it is a help to you in your quest to free the Gate's followers from infection.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I didn't see where your turn off MSE so that I can turn Avast back on.

Open MSE, click on Settings and then click on RealTime Protection and you can turn it off there.
after it was done MSE recognized this program as a virus and recommended I remove it immediately. So I either made things much worse, or MSE only recognizes cures as a virus.

No, that's not unusual for an AV to recognize a cleaning program as malicious.
I am sorry if this is disappointing or if I wasted your time, but it's been 8 days of sharing my computer with my wife and it was either that or divorce.

That's not a problem. I hope that TDSSKiller did the job. That's the one I was going to try next. Give it a few days and let me know how things are.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
I haven't looked at it since this morning, but after writing my last post I finished the tweaking tool and when rebooting it took a very long time to load. It isn't the fastest laptop being 4+ years old, but it was unusually slow from password page to load the user page. I am glad that I was just a step ahead. Is there some where that I can see what processes windows needs to have running and which ones I can work on taking out of the startup.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
Hey SuperDave, so just an update, I ran startuplite and it stopped a few processes but not too many. The computer was still too slow, more than likely corrupt files or something from the virus, and I wasn't going to spend another week trying to fix it. I wiped the drive and put Kubuntu on the computer, which surprisingly is very "windows" like, but doesn't come with the same problems I guess. The problem now is to teach my wife how to handle formats, and find programs to replace the ones she lost with her vista machine. But the computer runs like new now, and there is a much better chance that it will last long enough to save up for a new one.

On another note, I noticed that when you run these linux systems in trial mode it runs off the disc/usb drive, yet you can still access the stuff in the windows system. When I realized that I wondered why someone doesn't build a virus killer in with a linux distro that can run from a flash drive (for persistence). Since the viruses that infect windows doesn't seem to do anything to linux, if it were possible to do then you wouldn't be battling against a virus that is trying to protect itself. Just a thought, I don't know that much about how these things work, but if it were possible then it could make life easier for people like you that have to put up with people like me.

PS. If you take this idea and make millions make sure to remember the little guy!

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
PS. If you take this idea and make millions make sure to remember the little guy!.

We do have a few Linux based recovery systems and I'm sure that the big AV companies have looked at such things. I'm glad you have your computer up and running. Good luck!

descriptionexplorer.exe using 100% cpu EmptyRe: explorer.exe using 100% cpu

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum