Hello,

I have a very perplexing problem that I need your help with. Although I do not profess to be a security/vulnerability expert, I have done my fair share of disinfections over the years for friends and colleagues. By trade, I am a database administrator, and I also have experience programming discreet microcontrollers (for light industrial controls, etc. - not PLC’s, but actual MCU chips) - so, I do consider myself to be relatively tech savvy.

I am helping a long-time friend who, at this point, is out of his depth (and actually, I’m reaching the limits of my talents, too [smile]). Recently, he received an automated email notice from his ISP indicating that he had used 75% of his monthly bandwidth (which is 100GB!) - so, he contacted me to have a look at things, since that was definitely not normal. In reviewing his ISP history, we have determined that the problem started to occur several weeks ago (around February 11th) and went totally undetected. We have been working with support people at Malwarebytes and Avast since we discovered it - but to no avail (more details on that, below).

Between us, we have done a lot of experimenting to determine as much about the symptoms etc. as we can. Oh - at this point, I should probably mention that this is a WinXP SP3 system.

Something that has me very perplexed about this infection, is that it managed to insert itself somehow into the user-level account, and it is account-specific; the Administrator account does not appear to be infected, nor do any of the other accounts.

One of the things you should know is that, as a rule, he does not run with an admin-level account (not even Power User level - all as per my advice [smile]). Naturally, from time to time, he does have to switch over to Administrator to complete something. But, as I described above, it would seem that the infection did not occur in the Admin account.

The major symptom of the infection is that, when Internet Explorer is launched/used, 2 additional (unprovoked) instances of iexplore.exe eventually show up in the Task Manager. These other two instances are responsible for automatically generating huge amounts of what appears to be click-through traffic - as in, tens and tens of thousands of clicks per day. We can see this by looking at real-time statistics in Avast.

Before I even approached anyone for support, I ran several different types of scans, using several different products, and with only one exception, the scans all came back clean. Here is what I did:

• Removed the hard drive, and scanned it (fully) as a benign/external drive attached to a totally different system, using Malwarebytes Antimalware, SUPERAntiSpyware, and Avast; results were clean in all cases.

• With the hard drive back in the system, ran full system/drive scans using Malwarebytes Antimalware, SUPERAntiSpyware, Kaspersky TDSSKiller, and Avast - nothing found. I also used Malwarebytes AntiRookIt BETA - and it found remnants of Sirefef; these were tagged and removed … yet, the symptoms still remain.

• Using Malwarebytes (paid), we I also performed a Flash scan - while the system was misbehaving - and it found nothing either.

We have worked with Malwarebytes Support, and they quickly reached a point where they were convinced that there is “no trace of malicious elements installed on this computer”. Yet, the problem continues - so, it is obviously something that they are unable to detect or help with.

We also worked with Avast Support, but apparently they do not provide disinfection support - so they have directed us to use this forum.

When the symptoms occur, we can eliminate them by ending all processes of iexplore.exe in Task Manager. So long as we end all of them, everything is under control. But of course, the next time Internet Explorer is used, the symptoms do come back. No other program (including Outlook Express) triggers the problem.

I have tried completely uninstalling Java and removing all of its cache files, and I also tried removing Flash - in case it was really some kind of Java-based or Flash-based infection. However, there was no change in the symptoms.

It really is isolated to Internet Explorer, and only under the normal/daily (restricted) user account.

At this point, I am totally stumped. I need your assistance to track this down and get rid of it.

I was going to attach 3 screenshots in a ZIP file - but, apparently, the forum will not accept that file type Also, with the 3 TXT logs that I need to attach (as per your sticky), I only have one file slot left (since the forum also restricts attachments to a total of 4). So, am attaching one screenshot which shows a sample of the Avast real-time activity.

As per the instructions in the sticky at the top of this forum, I have run the Malwarebytes Premium scan, the OTL scan, and the aswMBR scan - and I have attached those results to this message, too.

Hopefully, armed with all of the above info, I’ve given you a head-start to being able to help. I am certainly looking forward to any insight you may be able to provide [smile].

Regards,

Brant

I was going to attach 3 screenshots in a ZIP file

Hi there this looks like a mystery to resolve

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select both shortcut and additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from, plus 1 additions and 1 shortcut.txt.
[*]Please attach all 3 logs generated.

WOW! I never expected to get attention so quickly. Thanks!

Pondus - I am embarrassed now; I never thought about replying to my own thread to add more attachments. Cute trick. The other 2 screenshots (for what they’re worth) are attached to this message.

Essexboy - I will scoot over to my friends place, shortly, and carry out your instructions. I’ll post the results back in a little while.

Thanks again responding so quickly, and for showing an interest in taking on the challenge. You hit the nail on the head when you called it a “mystery”.

Brant

Hello Essexboy,

As requested, I ran the Farbar tool, and the resulting 3 files are attached.

I will await further instruction.

Brant

Hello (again) Essexboy,

My sincerest apologies. I realized, just after I posted those results, that I may not have carried out your intentions, precisely.

In re-reading your post (the part where it says to right-click to run as Admin), I am now thinking that you intended the tool to be run from within the problematic (restricted user) account. What I did, originally, was run it in an Admin account.

So, I have since re-run it from within the restricted user account, having right-clicked on it to execute it as an Admin. The revised log files are attached here.

Again … sorry about that.

Brant

Whilst I go through the logs do you recognise this file/programme TranscendService(JF).exe as I can find nothing concrete on it

can it be related to this? http://www.transcend-info.com/products/Catlist.asp?modno=284

OK that could be it as it was a mountpoint on an external drive

OK I can see an old zero access infection, did MBAM ask you to run combofix

All fixes and scans from the affected logon please

Download the attached Fixlist.txt to the same location as FRST
Run FRST and press Fix
On completion a log will be generated please post that

I texted my friend, to find out if it meant anything to him, and I have just received a response. He has confirmed that he has indeed used Transcend USB products from time to time, but has never knowingly installed any of their utilities etc.

(Of course, it could have been an auto-run situation with some bundled software on one of their drives, without him realizing what was going on. He is normally petty observant - but, mere mortals can miss things sometimes [grin].)

Ah - while I was typing this, your latest reply came in …

MBAM did not suggest any additional steps. It simply quarantined the element, asked me to reboot, and that was it.

I have a question about your instructions (for the next step) - I understand that you want me to execute that from the affected logon; no problem there. I am under the impression that FRST will always require admin level to run - is that correct? If so, will it be sufficient for me to continue using the “Run As” technique, or do you want me to elevate the affected logon to be part of the Admin group (until we’re finished with all of the cleaning work)?

I won’t do anything until I hear back.

Use run as please, I will then use combofix after if needed to check some other areas

Okay, thanks.

Done.

Resulting log file is attached.

OK I would like to run combofix now to check a few other areas, meanwhile are the additional IE processes still being spawned ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Although I was curious, I purposely did not launch IE. You hadn’t instructed me to do so, and I didn’t want to mess anything up by jumping the gun. I’ve seen how frustrating it gets, in other posts, when people go ahead and do things on their own … and I believe the sticky specifically asks people to do what they’re told, and only what they’re told … and to basically just leave the system alone between steps. So, I was trying to respect that.

I will launch IE now, do a little be of benign activity (just search for a few terms in Google or Bing), and then I’ll leave the system to idle for a bit - that’s when we usually start to see activity (if it is still going to happen).

After that, I’ll move on to carry out your ComboFix instructions. Speaking of which - does ComboFix require “Run As” (admin) … or should it be run in just the normal logon context?

Run as again please, although it should self elevate

Okay, will do.

BTW - the early signs are that IE is behaving itself. I am going to leave it for about an hour or so, before continuing on the with ComboFix step. Although, in the past, IE has typically started to misbehave within 5-10 minutes of using it … I have seen once or twice where the problem didn’t show up for 30-40 minutes.

So, don’t take the delay in response as being that I have lost interest or have fallen off the face of the earth.

I will definitely be back, once I am confident that the (positive) results so far are not misleading. I know there is more to do. I am quite thrilled with the level of support I am receiving, and I certainly want to “do my part”.

Cheers!

No problem, I will be going off line shortly as I really need my beauty sleep, well according to the better half anyway

I will pick it up again tomorrow

I know what you mean - I have a better half who tries to keep me grounded and sane, also.

Get some rest - you deserve it. “See” you tomorrow.

Okay … IE behaved itself for >3hrs, so I think it is safe to say that the misbehaviour is gone.

I ran ComboFix, as instructed. The resulting log file is attached.