new iexplore.exe adware/malware? undetected by all scans (edited-- win32:cycler)

Some sort of malware has hijacked my Internet Explorer and there are constantly several iexplore.exe processes running in the background. I tried uninstalling and disabling IE in the control panel to no effect. When I terminate these iexplore.exe processes, they automatically reappear instantly. Every once in a while, I get a popup ad on my screen in an IE window.

None of the anti virus programs can identify this malware. I normally have running avast free, windows defender, spyblaster, zonealarm firewall and none of them caught this. I also regularly run spybot S&D and windows update. I also did avast free boot time scan, panda, MBAM. Came up with nothing.

The only system to seem to find anything at all was panda. It said I had browser vulnerabilities (no kidding!), but the only suggested solution was an old windows update that had been done long ago. I reinstalled the suggested update with no effect.

I have been searching the web forums and finding very recent reports (many of them this week) of a new possible “root kit” that affects iexplore.exe.

My log files are attached, any help would be greatly appreciated!!

constantly several iexplore.exe processes running in the background
do you have many tabs open at the same time ?

I don’t ever use IE, I use Chrome and Firefox for the most part.

Essexboy will be here in about 1-2 hours…

do you have AVG and avast installed at the same time ?

I used to have avg but I thought I uninstalled it and installed avast. If AVG is still on my computer, it’s never running or updated.

I was looking at your ActiveScan log…Only install one AV…You seems to have testet all security program known to mankind ;D

at least I can’t be accused of not trying to solve it with the obvious tools first :smiley:

i also see that there is some you have not tested ;D but we leave this to Essexboy…

Could I have a look at the combofix log please

Here’s the combofix log. Oh yeah, I guess I forgot to mention I ran combofix. It had me install recovery before it proceeded.

Do you have any of these symptoms besides multiple IE processes? Such as:

  1. Volume control randomly mutes the wave setting.
  2. Random clicking noises.
  3. Random voice ads playing in the background.

If you have any or all of these symptoms, then you are infected with the “Black Internet Trojan” (Win32:Cycler). Where there’s the Black Internet infection, there’s a bootkit (MBR rootkit).

Please download Bootkit Remover by esage lab onto your desktop.

Note: This is a rar file. If you don’t have a extraction program, you can use 7-zip or Peazip.

  • After extracing remover.exe to your Desktop, double-click the remover.exe file to run the program.
  • Attach or post inline here, the output from remover.exe
  • Note:The Command prompt window text can be copied to the clipboard by right-clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.
  • Please attach remover.exe output along with the below requested logs.

Yes, it did mute my volume multiple times, which I noticed when I was watching a video. However, I didn’t notice #2 and #2 because I usually keep my headset plugged in, I don’t use speakerphones. This sounds like the right one.

I had tried remover.exe before (I must have found some instructions somewhere to do this) but it didn’t work when I tried it. However, running it this time, it did find something.

Bootkit Remover version 1.0.0.1 (c) 2009 eSage Lab www.esagelab.com

\.\C: → \.\PhysicalDrive0
SPTI_Read(): DeviceIoControl() ERROR 1
ERROR: SPTI_Read() fails for \.\PhysicalDrive0
MD5: d4b876239615e81ab805b6a9431ee920
\.\D: → \.\PhysicalDrive0

 Size  Device Name          MBR Status

372 GB \.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Press any key to quit…

How do I follow the instructions (what should I enter for device name and output file?)

[edited]
Ok I followed the readme instructions and here’s what I get for a dump

C:\Documents and Settings\TC\Desktop>remover.exe dump \\.\PhysicalDrive0 dump.tx t Bootkit Remover version 1.0.0.1 (c) 2009 eSage Lab www.esagelab.com

Dumping master boot sector of \.\PhysicalDrive0…
SPTI_Read(): DeviceIoControl() ERROR 1
ERROR: Can’t read first sector of disk by SPTI.

Press any key to quit…

I had found instructions somewhere to create a bat file with the following:

@ECHO OFF START remover.exe fix \\.\PhysicalDrive0 EXIT

If I run that bat file, here’s the result:

Bootkit Remover version 1.0.0.1 (c) 2009 eSage Lab www.esagelab.com

Restoring boot code at \.\PhysicalDrive0…
SPTI_Read(): DeviceIoControl() ERROR 1
ERROR: Can’t read first sector of disk by SPTI.

Press any key to quit…

The MBR is corrupted. Looks like we will have to fix the MBR with a Windows XP boot CD, if you have it. So back up all of your personal files before proceeding to fix the MBR.

  1. Boot to Windows XP CD

  2. Go to Recovery Console

  3. Run FixMBR to repair the Master Boot Record.

If you need to fix MBR you can also consider Partition Wizard http://www.partitionwizard.com/download.html

I was going to use the Windows Recovery Console but it gave me a really scary warning about losing everything.

So I tried Partition Wizard. Looks like I only had one partition even though I have two hard drive letters. So I rewrote the MBR.

Then I ran MBRCheck.exe which I found on another thread. Here’s the result

MBRCheck, version 1.1.0 (c) 2010, AD

\.\C: → \.\PhysicalDrive0
\.\D: → \.\PhysicalDrive0

  Size  Device Name          MBR Status

372 GB  \\.\PhysicalDrive0   Error reading raw MBR!

Done! Press ENTER to exit…

My computer booted up so obviously I must have an MBR. Why am I getting an error message, and am I now free of this stubborn adware yet?

Jtaylor:

Should I just ignore the warning and use Windows recovery console? Not sure if that Partition Wizard MBR repair worked.

I ran the remover.exe bat file just now and it still says there’s an unknown boot code. It wouldn’t let me do a dump or a fix.

Bootkit Remover version 1.0.0.1 (c) 2009 eSage Lab www.esagelab.com

Restoring boot code at \.\PhysicalDrive0…
SPTI_Read(): DeviceIoControl() ERROR 1
ERROR: Can’t read first sector of disk by SPTI.

Press any key to quit…

You will have to back up your personal files with a data recovery disc with ZA Recovery (cost about $50 for licence purchase).

Unformat Tutorial for RAW filesystem.